def update_config_option(self, domain_id, group, option, value,
sensitive=False):
with sql.session_for_write() as session:
ref = self._get_config_option(session, domain_id, group, option,
sensitive)
ref.value = value
return ref.to_dict()
def create_project(self, project_id, project):
project['name'] = clean.project_name(project['name'])
new_project = self._encode_domain_id(project)
with sql.session_for_write() as session:
project_ref = Project.from_dict(new_project)
session.add(project_ref)
return project_ref.to_dict()
def delete_domain_assignments(self, domain_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter(RoleAssignment.target_id == domain_id).filter(
(RoleAssignment.type == AssignmentType.USER_DOMAIN) |
(RoleAssignment.type == AssignmentType.GROUP_DOMAIN))
q.delete(False)
def delete_endpoint_group(self, endpoint_group_id):
with sql.session_for_write() as session:
endpoint_group_ref = self._get_endpoint_group(session,
endpoint_group_id)
self._delete_endpoint_group_association_by_endpoint_group(
session, endpoint_group_id)
session.delete(endpoint_group_ref)
def _sync_common_repo(version):
abs_path = find_repo(LEGACY_REPO)
init_version = get_init_version()
with sql.session_for_write() as session:
engine = session.get_bind()
_assert_not_schema_downgrade(version=version)
migration.db_sync(engine, abs_path, version=version, init_version=init_version, sanity_check=False)
def create_access_token(self, request_id, access_token_duration):
access_token_id = uuid.uuid4().hex
access_token_secret = uuid.uuid4().hex
with sql.session_for_write() as session:
req_token_ref = self._get_request_token(session, request_id)
token_dict = req_token_ref.to_dict()
expiry_date = None
if access_token_duration:
now = timeutils.utcnow()
future = (now +
datetime.timedelta(seconds=access_token_duration))
expiry_date = utils.isotime(future, subsecond=True)
# add Access Token
ref = {}
ref['id'] = access_token_id
ref['access_secret'] = access_token_secret
ref['authorizing_user_id'] = token_dict['authorizing_user_id']
ref['project_id'] = token_dict['requested_project_id']
ref['role_ids'] = token_dict['role_ids']
ref['consumer_id'] = token_dict['consumer_id']
ref['expires_at'] = expiry_date
token_ref = AccessToken.from_dict(ref)
session.add(token_ref)
# remove request token, it's been used
session.delete(req_token_ref)
return token_ref.to_dict()
def delete_tokens(self, user_id, tenant_id=None, trust_id=None,
consumer_id=None):
"""Delete all tokens in one session.
The user_id will be ignored if the trust_id is specified. user_id
will always be specified.
If using a trust, the token's user_id is set to the trustee's user ID
or the trustor's user ID, so will use trust_id to query the tokens.
"""
token_list = []
with sql.session_for_write() as session:
now = timeutils.utcnow()
query = session.query(TokenModel)
query = query.filter_by(valid=True)
query = query.filter(TokenModel.expires > now)
if trust_id:
query = query.filter(TokenModel.trust_id == trust_id)
else:
query = query.filter(TokenModel.user_id == user_id)
for token_ref in query.all():
if tenant_id:
token_ref_dict = token_ref.to_dict()
if not self._tenant_matches(tenant_id, token_ref_dict):
continue
if consumer_id:
token_ref_dict = token_ref.to_dict()
if not self._consumer_matches(consumer_id, token_ref_dict):
continue
token_ref.valid = False
token_list.append(token_ref.id)
return token_list
def _create_user(self, user_dict, last_active_at):
user_dict['id'] = uuid.uuid4().hex
with sql.session_for_write() as session:
user_ref = model.User.from_dict(user_dict)
user_ref.last_active_at = last_active_at
session.add(user_ref)
return base.filter_user(user_ref.to_dict())
def _sync_extension_repo(extension, version):
if extension in MIGRATED_EXTENSIONS:
raise exception.MigrationMovedFailure(extension=extension)
with sql.session_for_write() as session:
engine = session.get_bind()
try:
package_name = '.'.join((contrib.__name__, extension))
package = importutils.import_module(package_name)
except ImportError:
raise ImportError(_("%s extension does not exist.")
% package_name)
try:
abs_path = find_migrate_repo(package)
try:
migration.db_version_control(engine, abs_path)
# Register the repo with the version control API
# If it already knows about the repo, it will throw
# an exception that we can safely ignore
except exceptions.DatabaseAlreadyControlledError: # nosec
pass
except exception.MigrationNotProvided as e:
print(e)
sys.exit(1)
_assert_not_schema_downgrade(extension=extension, version=version)
init_version = get_init_version(abs_path=abs_path)
migration.db_sync(engine, abs_path, version=version,
init_version=init_version, sanity_check=False)
def update_config_options(self, domain_id, option_list):
with sql.session_for_write() as session:
for option in option_list:
self._delete_config_options(session, domain_id, option["group"], option["option"])
self._create_config_option(
session, domain_id, option["group"], option["option"], option["sensitive"], option["value"]
)
def update_user(self, user_id, user):
with sql.session_for_write() as session:
user_ref = self._get_user(session, user_id)
old_user_dict = user_ref.to_dict()
for k in user:
old_user_dict[k] = user[k]
new_user = model.User.from_dict(old_user_dict)
for attr in model.User.attributes:
if attr not in model.User.readonly_attributes:
setattr(user_ref, attr, getattr(new_user, attr))
# Move the "_resource_options" attribute over to the real user_ref
# so that resource_options.resource_options_ref_to_mapper can
# handle the work.
setattr(user_ref, '_resource_options',
getattr(new_user, '_resource_options', {}))
# Move options into the proper attribute mapper construct
resource_options.resource_options_ref_to_mapper(
user_ref, model.UserOption)
if 'password' in user:
user_ref.password = user['password']
if self._change_password_required(user_ref):
expires_now = datetime.datetime.utcnow()
user_ref.password_ref.expires_at = expires_now
user_ref.extra = new_user.extra
return base.filter_user(
user_ref.to_dict(include_extra_dict=True))
def delete_region(self, region_id):
with sql.session_for_write() as session:
ref = self._get_region(session, region_id)
if self._has_endpoints(session, ref, ref):
raise exception.RegionDeletionError(region_id=region_id)
self._delete_child_regions(session, region_id, region_id)
session.delete(ref)
def _record_failed_auth(self, user_id):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
if not user_ref.local_user.failed_auth_count:
user_ref.local_user.failed_auth_count = 0
user_ref.local_user.failed_auth_count += 1
user_ref.local_user.failed_auth_at = datetime.datetime.utcnow()
def unset_default_project_id(self, project_id):
with sql.session_for_write() as session:
query = session.query(model.User)
query = query.filter(model.User.default_project_id == project_id)
for user in query:
user.default_project_id = None
def delete_application_credentials_for_user_on_project(self, user_id,
project_id):
with sql.session_for_write() as session:
query = session.query(ApplicationCredentialModel)
query = query.filter_by(user_id=user_id)
query = query.filter_by(project_id=project_id)
query.delete()
def create_application_credential(self, application_credential, roles,
access_rules=None):
app_cred = application_credential.copy()
self._hash_secret(app_cred)
with sql.session_for_write() as session:
ref = ApplicationCredentialModel.from_dict(app_cred)
session.add(ref)
for role in roles:
app_cred_role = ApplicationCredentialRoleModel()
app_cred_role.application_credential = ref
app_cred_role.role_id = role['id']
session.add(app_cred_role)
if access_rules:
for access_rule in access_rules:
access_rule_ref = AccessRuleModel.from_dict(access_rule)
session.add(access_rule_ref)
app_cred_access_rule = ApplicationCredentialAccessRuleModel()
app_cred_access_rule.application_credential = ref
app_cred_access_rule.access_rule = access_rule_ref
session.add(app_cred_access_rule)
application_credential_dict = ref.to_dict()
application_credential_dict.pop('internal_id')
application_credential_dict['roles'] = roles
if access_rules is not None:
application_credential_dict['access_rules'] = access_rules
return application_credential_dict
def create_user(self, user_id, user):
user = utils.hash_user_password(user)
with sql.session_for_write() as session:
user_ref = model.User.from_dict(user)
user_ref.created_at = datetime.datetime.utcnow()
session.add(user_ref)
return base.filter_user(user_ref.to_dict())
def test_start_version_db_init_version(self):
with sql.session_for_write() as session:
version = migration.db_version(session.get_bind(), self.repo_path,
self._initial_db_version)
self.assertEqual(
self._initial_db_version,
version,
'DB is not at version %s' % self._initial_db_version)
def get_db_version(extension=None):
if not extension:
with sql.session_for_write() as session:
return migration.db_version(session.get_bind(),
find_migrate_repo(),
get_init_version())
try:
package_name = '.'.join((contrib.__name__, extension))
package = importutils.import_module(package_name)
except ImportError:
raise ImportError(_("%s extension does not exist.")
% package_name)
with sql.session_for_write() as session:
return migration.db_version(
session.get_bind(), find_migrate_repo(package), 0)
def create_federated_user(self, federated_dict):
user = {"id": uuid.uuid4().hex, "enabled": True}
with sql.session_for_write() as session:
federated_ref = model.FederatedUser.from_dict(federated_dict)
user_ref = model.User.from_dict(user)
user_ref.federated_users.append(federated_ref)
session.add(user_ref)
return identity_base.filter_user(user_ref.to_dict())
def setUp(self):
super(Database, self).setUp()
with sql.session_for_write() as session:
self.engine = session.get_bind()
self.addCleanup(sql.cleanup)
sql.ModelBase.metadata.create_all(bind=self.engine)
self.addCleanup(sql.ModelBase.metadata.drop_all, bind=self.engine)
def delete_project_assignments(self, project_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter_by(target_id=project_id).filter(
RoleAssignment.type.in_((AssignmentType.USER_PROJECT,
AssignmentType.GROUP_PROJECT))
)
q.delete(False)
def delete_group_assignments(self, group_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter_by(actor_id=group_id).filter(
RoleAssignment.type.in_((AssignmentType.GROUP_PROJECT,
AssignmentType.GROUP_DOMAIN))
)
q.delete(False)
def update_config_options(self, domain_id, option_list):
with sql.session_for_write() as session:
for option in option_list:
self._delete_config_options(
session, domain_id, option['group'], option['option'])
self._create_config_option(
session, domain_id, option['group'], option['option'],
option['sensitive'], option['value'])
def release_registration(self, domain_id, type=None):
"""Silently delete anything registered for the domain specified."""
with sql.session_for_write() as session:
query = session.query(ConfigRegister)
if type:
query = query.filter_by(type=type)
query = query.filter_by(domain_id=domain_id)
query.delete(False)
def change_password(self, user_id, new_password):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
if user_ref.password_ref and user_ref.password_ref.self_service:
self._validate_minimum_password_age(user_ref)
self._validate_password_history(new_password, user_ref)
user_ref.password = utils.hash_password(new_password)
user_ref.password_ref.self_service = True
def revoke(self, event):
kwargs = dict()
for attr in revoke_model.REVOKE_KEYS:
kwargs[attr] = getattr(event, attr)
record = RevocationEvent(**kwargs)
with sql.session_for_write() as session:
session.add(record)
self._prune_expired_events()
def create_protocol(self, idp_id, protocol_id, protocol):
protocol['id'] = protocol_id
protocol['idp_id'] = idp_id
with sql.session_for_write() as session:
self._get_idp(session, idp_id)
protocol_ref = FederationProtocolModel.from_dict(protocol)
session.add(protocol_ref)
return protocol_ref.to_dict()
def create_mapping(self, mapping_id, mapping):
ref = {}
ref['id'] = mapping_id
ref['rules'] = mapping.get('rules')
with sql.session_for_write() as session:
mapping_ref = MappingModel.from_dict(ref)
session.add(mapping_ref)
return mapping_ref.to_dict()
def delete_access_token(self, user_id, access_token_id):
with sql.session_for_write() as session:
token_ref = self._get_access_token(session, access_token_id)
token_dict = token_ref.to_dict()
if token_dict['authorizing_user_id'] != user_id:
raise exception.Unauthorized(_('User IDs do not match'))
session.delete(token_ref)
def delete_tokens(self,
user_id,
tenant_id=None,
trust_id=None,
consumer_id=None):
"""Delete all tokens in one session.
The user_id will be ignored if the trust_id is specified. user_id
will always be specified.
If using a trust, the token's user_id is set to the trustee's user ID
or the trustor's user ID, so will use trust_id to query the tokens.
"""
token_list = []
with sql.session_for_write() as session:
now = timeutils.utcnow()
query = session.query(TokenModel)
query = query.filter_by(valid=True)
query = query.filter(TokenModel.expires > now)
if trust_id:
query = query.filter(TokenModel.trust_id == trust_id)
else:
query = query.filter(TokenModel.user_id == user_id)
for token_ref in query.all():
if tenant_id:
token_ref_dict = token_ref.to_dict()
if not self._tenant_matches(tenant_id, token_ref_dict):
continue
if consumer_id:
token_ref_dict = token_ref.to_dict()
if not self._consumer_matches(consumer_id, token_ref_dict):
continue
token_ref.valid = False
token_list.append(token_ref.id)
return token_list
def create_request_token(self, consumer_id, requested_project,
request_token_duration):
request_token_id = uuid.uuid4().hex
request_token_secret = uuid.uuid4().hex
expiry_date = None
if request_token_duration:
now = timeutils.utcnow()
future = now + datetime.timedelta(seconds=request_token_duration)
expiry_date = utils.isotime(future, subsecond=True)
ref = {}
ref['id'] = request_token_id
ref['request_secret'] = request_token_secret
ref['verifier'] = None
ref['authorizing_user_id'] = None
ref['requested_project_id'] = requested_project
ref['role_ids'] = None
ref['consumer_id'] = consumer_id
ref['expires_at'] = expiry_date
with sql.session_for_write() as session:
token_ref = RequestToken.from_dict(ref)
session.add(token_ref)
return token_ref.to_dict()
def setUp(self):
super(SqlMigrateBase, self).setUp()
self.load_backends()
database.initialize_sql_session()
conn_str = CONF.database.connection
if (conn_str != unit.IN_MEM_DB_CONN_STRING
and conn_str.startswith('sqlite')
and conn_str[10:] == unit.DEFAULT_TEST_DB_FILE):
# Override the default with a DB that is specific to the migration
# tests only if the DB Connection string is the same as the global
# default. This is required so that no conflicts occur due to the
# global default DB already being under migrate control. This is
# only needed if the DB is not-in-memory
db_file = unit.dirs.tmp('keystone_migrate_test.db')
self.config_fixture.config(group='database',
connection='sqlite:///%s' % db_file)
# create and share a single sqlalchemy engine for testing
with sql.session_for_write() as session:
self.engine = session.get_bind()
self.addCleanup(self.cleanup_instance('engine'))
self.Session = db_session.get_maker(self.engine, autocommit=False)
self.addCleanup(sqlalchemy.orm.session.Session.close_all)
self.initialize_sql()
self.repo_path = migration_helpers.find_migrate_repo(
self.repo_package())
self.schema = versioning_api.ControlledSchema.create(
self.engine, self.repo_path, self._initial_db_version)
# auto-detect the highest available schema version in the migrate_repo
self.max_version = self.schema.repository.version().version
self.addCleanup(sql.cleanup)
# drop tables and FKs.
self.addCleanup(self._cleanupDB)
def create_consumer(self, consumer_ref):
with sql.session_for_write() as session:
consumer = Consumer.from_dict(consumer_ref)
session.add(consumer)
return consumer.to_dict()
def delete_application_credentials_for_user(self, user_id):
with sql.session_for_write() as session:
query = session.query(ApplicationCredentialModel)
query = query.filter_by(user_id=user_id)
query.delete()
def _update_user_last_active_at(self, user_id, last_active_at):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
user_ref.last_active_at = last_active_at
return user_ref
def create_sp(self, sp_id, sp):
sp['id'] = sp_id
with sql.session_for_write() as session:
sp_ref = ServiceProviderModel.from_dict(sp)
session.add(sp_ref)
return sp_ref.to_dict()
def delete_endpoint_group_association_by_project(self, project_id):
with sql.session_for_write() as session:
query = session.query(ProjectEndpointGroupMembership)
query = query.filter_by(project_id=project_id)
query.delete()
def remove_endpoint_group_from_project(self, endpoint_group_id,
project_id):
with sql.session_for_write() as session:
endpoint_group_project_ref = self._get_endpoint_group_in_project(
session, endpoint_group_id, project_id)
session.delete(endpoint_group_project_ref)
def create_region(self, region_ref):
with sql.session_for_write() as session:
self._check_parent_region(session, region_ref)
region = Region.from_dict(region_ref)
session.add(region)
return region.to_dict()
def delete_config_options(self, domain_id, group=None, option=None):
with sql.session_for_write() as session:
self._delete_config_options(session, domain_id, group, option)
def _update_password_created_at(self, user_id, password_create_at):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
for password_ref in user_ref.local_user.passwords:
password_ref.created_at = password_create_at
def delete_endpoint(self, endpoint_id):
with sql.session_for_write() as session:
ref = self._get_endpoint(session, endpoint_id)
session.delete(ref)
def create_endpoint(self, endpoint_id, endpoint_ref):
new_endpoint = Endpoint.from_dict(endpoint_ref)
with sql.session_for_write() as session:
session.add(new_endpoint)
return new_endpoint.to_dict()
def create_service(self, service_id, service_ref):
with sql.session_for_write() as session:
service = Service.from_dict(service_ref)
session.add(service)
return service.to_dict()
def delete_service(self, service_id):
with sql.session_for_write() as session:
ref = self._get_service(session, service_id)
session.query(Endpoint).filter_by(service_id=service_id).delete()
session.delete(ref)
def delete_consumer(self, consumer_id):
with sql.session_for_write() as session:
self._delete_request_tokens(session, consumer_id)
self._delete_access_tokens(session, consumer_id)
self._delete_consumer(session, consumer_id)
def add_endpoint_group_to_project(self, endpoint_group_id, project_id):
with sql.session_for_write() as session:
# Create a new Project Endpoint group entity
endpoint_group_project_ref = ProjectEndpointGroupMembership(
endpoint_group_id=endpoint_group_id, project_id=project_id)
session.add(endpoint_group_project_ref)
def add_endpoint_to_project(self, endpoint_id, project_id):
with sql.session_for_write() as session:
endpoint_filter_ref = ProjectEndpoint(endpoint_id=endpoint_id,
project_id=project_id)
session.add(endpoint_filter_ref)
def delete_sp(self, sp_id):
with sql.session_for_write() as session:
sp_ref = self._get_sp(session, sp_id)
session.delete(sp_ref)
def delete_association_by_project(self, project_id):
with sql.session_for_write() as session:
query = session.query(ProjectEndpoint)
query = query.filter_by(project_id=project_id)
query.delete(synchronize_session=False)
def create_endpoint_group(self, endpoint_group_id, endpoint_group):
with sql.session_for_write() as session:
endpoint_group_ref = EndpointGroup.from_dict(endpoint_group)
session.add(endpoint_group_ref)
return endpoint_group_ref.to_dict()
def delete_project_assignments(self, project_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter_by(target_id=project_id)
q.delete(False)
def delete_role_assignments(self, role_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter_by(role_id=role_id)
q.delete(False)
def delete_group_assignments(self, group_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)
q = q.filter_by(actor_id=group_id)
q.delete(False)
def delete_idp(self, idp_id):
with sql.session_for_write() as session:
self._delete_assigned_protocols(session, idp_id)
idp_ref = self._get_idp(session, idp_id)
session.delete(idp_ref)
def set_last_active_at(self, user_id):
if CONF.security_compliance.disable_user_account_days_inactive:
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
user_ref.last_active_at = datetime.datetime.utcnow().date()
def delete_protocol(self, idp_id, protocol_id):
with sql.session_for_write() as session:
key_ref = self._get_protocol(session, idp_id, protocol_id)
session.delete(key_ref)
def delete_limit(self, limit_id):
with sql.session_for_write() as session:
ref = self._get_limit(session, limit_id)
session.delete(ref)
def delete_mapping(self, mapping_id):
with sql.session_for_write() as session:
mapping_ref = self._get_mapping(session, mapping_id)
session.delete(mapping_ref)
