From 5528f1a5be829b65573d4f527052be6195a96839 Mon Sep 17 00:00:00 2001
From: Matthieu Huin <mhu@enovance.com>
Date: Wed, 20 Nov 2013 17:55:49 +0100
Subject: [PATCH] Limited use trusts

Trusts now have a "remaining_uses" field that tracks how many times
a trust can still issue a token. It is decremented by 1 each time a
trust related authentication occurs (call to /auth/tokens), until it
reaches 0 and no token can be issued through this trust anymore. If
set to null (default value), trusts can be used indefinitely to
authenticate.
This is the client side of the implementation.

Closes-Bug: #1250617
Implements: bp trusts-chained-delegation

Change-Id: Ib035a9772b7f035c3a9af102e8e15a860a96a96d
---
 keystoneclient/tests/v3/test_trusts.py | 8 ++++++++
 keystoneclient/v3/contrib/trusts.py    | 6 +++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/keystoneclient/tests/v3/test_trusts.py b/keystoneclient/tests/v3/test_trusts.py
index f47fc7fd3..43bfb1b53 100644
--- a/keystoneclient/tests/v3/test_trusts.py
+++ b/keystoneclient/tests/v3/test_trusts.py
@@ -40,6 +40,14 @@ class TrustTests(utils.TestCase, utils.CrudTests):
         ref['impersonation'] = False
         super(TrustTests, self).test_create(ref=ref)
 
+    def test_create_limited_uses(self):
+        ref = self.new_ref()
+        ref['trustor_user_id'] = uuid.uuid4().hex
+        ref['trustee_user_id'] = uuid.uuid4().hex
+        ref['impersonation'] = False
+        ref['remaining_uses'] = 5
+        super(TrustTests, self).test_create(ref=ref)
+
     def test_create_roles(self):
         ref = self.new_ref()
         ref['trustor_user_id'] = uuid.uuid4().hex
diff --git a/keystoneclient/v3/contrib/trusts.py b/keystoneclient/v3/contrib/trusts.py
index 1dde538f7..a59cef979 100644
--- a/keystoneclient/v3/contrib/trusts.py
+++ b/keystoneclient/v3/contrib/trusts.py
@@ -37,7 +37,7 @@ class TrustManager(base.CrudManager):
 
     def create(self, trustee_user, trustor_user, role_names=None,
                project=None, impersonation=False, expires_at=None,
-               **kwargs):
+               remaining_uses=None, **kwargs):
         """Create a Trust.
         :param string trustee_user: user who is capable of consuming the trust
         :param string trustor_user: user who's authorization is being delegated
@@ -45,6 +45,9 @@ class TrustManager(base.CrudManager):
         :param string project: project which the trustor is delegating
         :param boolean impersonation: enable explicit impersonation
         :param datetime.datetime expires_at: expiry time
+        :param integer remaining_uses: how many times this trust can be used
+                                       to generate a token. None means
+                                       unlimited tokens.
         """
         # Convert role_names list into list-of-dict API format
         if role_names:
@@ -62,6 +65,7 @@ class TrustManager(base.CrudManager):
             expires_at=expires_str,
             impersonation=impersonation,
             project_id=base.getid(project),
+            remaining_uses=remaining_uses,
             roles=roles,
             trustee_user_id=base.getid(trustee_user),
             trustor_user_id=base.getid(trustor_user),