def revoke_by_grant(self, role_id, user_id=None,
domain_id=None, project_id=None):
self.revoke(
model.RevokeEvent(user_id=user_id,
role_id=role_id,
domain_id=domain_id,
project_id=project_id))
def get_events(self, last_fetch=None):
self._prune_expired_events()
session = sql.get_session()
query = session.query(RevocationEvent).order_by(
RevocationEvent.revoked_at)
if last_fetch:
query.filter(RevocationEvent.revoked_at >= last_fetch)
# While the query filter should handle this, it does not
# appear to be working. It might be a SQLite artifact.
events = [model.RevokeEvent(**e.to_dict())
for e in query
if e.revoked_at > last_fetch]
else:
events = [model.RevokeEvent(**e.to_dict()) for e in query]
return events
def test_past_expiry_are_removed(self):
user_id = 1
self.revoke_api.revoke_by_expiration(user_id, _future_time())
self.assertEqual(1, len(self.revoke_api.get_events()))
event = model.RevokeEvent()
event.revoked_at = _past_time()
self.revoke_api.revoke(event)
self.assertEqual(1, len(self.revoke_api.get_events()))
def _revoke_by_grant(self, role_id, user_id=None,
domain_id=None, project_id=None):
event = self.tree.add_event(
model.RevokeEvent(user_id=user_id,
role_id=role_id,
domain_id=domain_id,
project_id=project_id))
self.events.append(event)
return event
def _revoke_by_expiration(self, user_id, expires_at, project_id=None,
domain_id=None):
event = self.tree.add_event(
model.RevokeEvent(user_id=user_id,
expires_at=expires_at,
project_id=project_id,
domain_id=domain_id))
self.events.append(event)
return event
def _revoke_by_audit_chain_id(self, audit_chain_id, project_id=None,
domain_id=None):
event = self.tree.add_event(
model.RevokeEvent(audit_chain_id=audit_chain_id,
project_id=project_id,
domain_id=domain_id)
)
self.events.append(event)
return event
def revoke_by_audit_chain_id(self, audit_chain_id, project_id=None,
domain_id=None):
self._assert_not_domain_and_project_scoped(domain_id=domain_id,
project_id=project_id)
self.revoke(model.RevokeEvent(audit_chain_id=audit_chain_id,
domain_id=domain_id,
project_id=project_id))
def revoke_by_expiration(self, user_id, expires_at,
domain_id=None, project_id=None):
self._assert_not_domain_and_project_scoped(domain_id=domain_id,
project_id=project_id)
self.revoke(
model.RevokeEvent(user_id=user_id,
expires_at=expires_at,
domain_id=domain_id,
project_id=project_id))
def test_disabled_project_in_list(self):
project_id = uuid.uuid4().hex
sample = dict()
sample['project_id'] = six.text_type(project_id)
before_time = timeutils.utcnow()
self.revoke_api.revoke(model.RevokeEvent(project_id=project_id))
resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events']
self.assertEqual(len(events), 1)
self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def list_events(self, last_fetch=None):
session = sql.get_session()
query = session.query(RevocationEvent).order_by(
RevocationEvent.revoked_at)
if last_fetch:
query = query.filter(RevocationEvent.revoked_at > last_fetch)
events = [model.RevokeEvent(**e.to_dict()) for e in query]
return events
def test_since_future_time_no_events(self):
domain_id = uuid.uuid4().hex
sample = dict()
sample['domain_id'] = six.text_type(domain_id)
self.revoke_api.revoke(model.RevokeEvent(domain_id=domain_id))
resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events']
self.assertEqual(len(events), 1)
resp = self.get('/OS-REVOKE/events?since=%s' % _future_time_string())
events = resp.json_body['events']
self.assertEqual([], events)
def revoke_by_expiration(self, user_id, expires_at,
domain_id=None, project_id=None):
if domain_id is not None and project_id is not None:
msg = _('The call to keystone.contrib.revoke.Manager '
'revoke_by_expiration() must not have both domain_id and '
'project_id. This is a bug in the keystone server. The '
'current request is aborted.')
raise exception.UnexpectedError(exception=msg)
self.revoke(
model.RevokeEvent(user_id=user_id,
expires_at=expires_at,
domain_id=domain_id,
project_id=project_id))
def revoke_by_expiration(self, user_id, expires_at):
self.revoke(model.RevokeEvent(user_id=user_id, expires_at=expires_at))
def _revoke_by_user(self, user_id):
return self.tree.add_event(model.RevokeEvent(user_id=user_id))
def _consumer_callback(self, service, resource_type, operation, payload):
self.revoke(model.RevokeEvent(consumer_id=payload['resource_info']))
def _revoke_by_audit_id(self, audit_id):
event = self.tree.add_event(model.RevokeEvent(audit_id=audit_id))
self.events.append(event)
return event
def revoke_by_domain_role_assignment(self, domain_id, role_id):
self.revoke(model.RevokeEvent(domain_id=domain_id, role_id=role_id))
def _project_callback(self, service, resource_type, operation, payload):
self.revoke(model.RevokeEvent(project_id=payload['resource_info']))
def revoke_by_user_and_project(self, user_id, project_id):
self.revoke(model.RevokeEvent(project_id=project_id, user_id=user_id))
def revoke_by_project_role_assignment(self, project_id, role_id):
self.revoke(model.RevokeEvent(project_id=project_id, role_id=role_id))
def revoke_by_audit_id(self, audit_id):
self.revoke(model.RevokeEvent(audit_id=audit_id))
def revoke_by_user(self, user_id):
return self.revoke(model.RevokeEvent(user_id=user_id))
def _revoke_by_expiration(self, user_id, expires_at):
event = self.tree.add_event(
model.RevokeEvent(user_id=user_id, expires_at=expires_at))
self.events.append(event)
return event
def _revoke_by_domain_role_assignment(self, domain_id, role_id):
event = self.tree.add_event(
model.RevokeEvent(domain_id=domain_id, role_id=role_id))
self.events.append(event)
return event
def _revoke_by_user_and_project(self, user_id, project_id):
event = self.tree.add_event(
model.RevokeEvent(project_id=project_id, user_id=user_id))
self.events.append(event)
return event
def _revoke_by_project_role_assignment(self, project_id, role_id):
event = self.tree.add_event(
model.RevokeEvent(project_id=project_id, role_id=role_id))
self.events.append(event)
return event
def _access_token_callback(self, service, resource_type, operation,
payload):
self.revoke(
model.RevokeEvent(access_token_id=payload['resource_info']))
def _revoke_by_domain(self, domain_id):
event = self.tree.add_event(model.RevokeEvent(domain_id=domain_id))
self.events.append(event)
def _group_callback(self, service, resource_type, operation, payload):
user_ids = (u['id'] for u in self.identity_api.list_users_in_group(
payload['resource_info']))
for uid in user_ids:
self.revoke(model.RevokeEvent(user_id=uid))
