def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): self.get_role(role_id) if domain_id: self.get_domain(domain_id) if project_id: self.get_project(project_id) try: metadata_ref = self._get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} try: metadata_ref['roles'] = self._remove_role_from_role_dicts( role_id, inherited_to_projects, metadata_ref.get('roles', [])) except KeyError: raise exception.RoleNotFound(role_id=role_id) self._update_metadata(user_id, project_id, metadata_ref, domain_id, group_id)
def get_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): role_ref = self.get_role(role_id) if domain_id: self.get_domain(domain_id) if project_id: self.get_project(project_id) try: metadata_ref = self._get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} role_ids = set( self._roles_from_role_dicts(metadata_ref.get('roles', []), inherited_to_projects)) if role_id not in role_ids: raise exception.RoleNotFound(role_id=role_id) return role_ref
def delete_user(self, role_dn, user_dn, role_id): try: super(RoleApi, self).remove_member(user_dn, role_dn) except (self.NotFound, ldap.NO_SUCH_ATTRIBUTE): raise exception.RoleNotFound(message=_( 'Cannot remove role that has not been granted, %s') % role_id)
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): self.get_role(role_id) if domain_id: self.get_domain(domain_id) if project_id: self.get_project(project_id) try: metadata_ref = self._get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} try: if user_id is None: metadata_ref['roles'] = ( self._remove_role_from_group_and_project( group_id, project_id, role_id)) else: metadata_ref['roles'] = self.remove_role_from_user_and_project( user_id, project_id, role_id) except KeyError: raise exception.RoleNotFound(role_id=role_id)
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None): self.get_role(role_id) if user_id: self.get_user(user_id) if group_id: self.get_group(group_id) if domain_id: self.get_domain(domain_id) if project_id: self.get_project(project_id) try: metadata_ref = self.get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) try: roles.remove(role_id) except KeyError: raise exception.RoleNotFound(role_id=role_id) metadata_ref['roles'] = list(roles) self.update_metadata(user_id, project_id, metadata_ref, domain_id, group_id)
def _check_role_for_trust(self, context, trust_id, role_id): """Checks if a role has been assigned to a trust.""" trust = self.trust_api.get_trust(trust_id) user_id = self._get_user_id(context) _trustor_trustee_only(trust, user_id) if not any(role['id'] == role_id for role in trust['roles']): raise exception.RoleNotFound(role_id=role_id)
def _require_trustor_has_role_in_project(self, trust): user_roles = self._get_user_role(trust) for trust_role in trust['roles']: matching_roles = [x for x in user_roles if x == trust_role['id']] if not matching_roles: raise exception.RoleNotFound(role_id=trust_role['id'])
def validate_shadow_mapping(shadow_projects, existing_roles, idp_domain_id, idp_id): # Validate that the roles in the shadow mapping actually exist. If # they don't we should bail early before creating anything. for shadow_project in shadow_projects: for shadow_role in shadow_project['roles']: # The role in the project mapping must exist in order for it to # be useful. if shadow_role['name'] not in existing_roles: LOG.error( 'Role %s was specified in the mapping but does ' 'not exist. All roles specified in a mapping must ' 'exist before assignment.', shadow_role['name']) # NOTE(lbragstad): The RoleNotFound exception usually # expects a role_id as the parameter, but in this case we # only have a name so we'll pass that instead. raise exception.RoleNotFound(shadow_role['name']) role = existing_roles[shadow_role['name']] if (role['domain_id'] is not None and role['domain_id'] != idp_domain_id): LOG.error( 'Role %(role)s is a domain-specific role and ' 'cannot be assigned within %(domain)s.', { 'role': shadow_role['name'], 'domain': idp_domain_id }) raise exception.DomainSpecificRoleNotWithinIdPDomain( role_name=shadow_role['name'], identity_provider=idp_id)
def delete_role(self, role_id): try: self.db.delete('role-%s' % role_id) except exception.NotFound: raise exception.RoleNotFound(role_id=role_id) role_list = set(self.db.get('role_list', [])) role_list.remove(role_id) self.db.set('role_list', list(role_list))
def get_by_name(self, name, filter=None): roles = self.get_all('(%s=%s)' % (self.attribute_mapping['name'], ldap_filter.escape_filter_chars(name))) try: return roles[0] except IndexError: raise exception.RoleNotFound(role_id=name)
def create_trust(self, context, trust=None): """Create a new trust. The user creating the trust must be the trustor. """ # TODO(ayoung): instead of raising ValidationError on the first # problem, return a collection of all the problems. # Explicitly prevent a trust token from creating a new trust. auth_context = context.get('environment', {}).get('KEYSTONE_AUTH_CONTEXT', {}) if auth_context.get('is_delegated_auth'): raise exception.Forbidden( _('Cannot create a trust' ' with a token issued via delegation.')) if not trust: raise exception.ValidationError(attribute='trust', target='request') if trust.get('project_id') and not trust.get('roles'): raise exception.Forbidden( _('At least one role should be specified.')) try: user_id = self._get_user_id(context) _trustor_only(context, trust, user_id) #confirm that the trustee exists self.identity_api.get_user(trust['trustee_user_id']) all_roles = self.assignment_api.list_roles() clean_roles = self._clean_role_list(context, trust, all_roles) if trust.get('project_id'): user_role = self.assignment_api.get_roles_for_user_and_project( user_id, trust['project_id']) else: user_role = [] for trust_role in clean_roles: matching_roles = [ x for x in user_role if x == trust_role['id'] ] if not matching_roles: raise exception.RoleNotFound(role_id=trust_role['id']) if trust.get('expires_at') is not None: if not trust['expires_at'].endswith('Z'): trust['expires_at'] += 'Z' try: trust['expires_at'] = (timeutils.parse_isotime( trust['expires_at'])) except ValueError: raise exception.ValidationTimeStampError() trust_id = uuid.uuid4().hex new_trust = self.trust_api.create_trust(trust_id, trust, clean_roles) self._fill_in_roles(context, new_trust, all_roles) return TrustV3.wrap_member(context, new_trust) except KeyError as e: raise exception.ValidationError(attribute=e.args[0], target='trust')
def _get_role_id(self, role_name): session = self.get_session() query = session.query(sql.Role).filter_by(name=role_name) try: role_ref = query.one() except keystone_sql.NotFound: raise exception.RoleNotFound(role_id=role_name) return role_ref.to_dict()['id']
def get_role_for_trust(self, context, trust_id, role_id): """Checks if a role has been assigned to a trust.""" trust = self.trust_api.get_trust(context, trust_id) if not trust: raise exception.TrustNotFound(trust_id) user_id = self._get_user_id(context) _admin_trustor_trustee_only(context, trust, user_id) matching_roles = [x for x in trust['roles'] if x['id'] == role_id] if not matching_roles: raise exception.RoleNotFound(role_id=role_id) global_roles = self.identity_api.list_roles(context) matching_roles = [x for x in global_roles if x['id'] == role_id] if matching_roles: full_role = (identity.controllers.RoleV3.wrap_member( context, matching_roles[0])) return full_role else: raise exception.RoleNotFound(role_id=role_id)
def check_role_for_trust(self, context, trust_id, role_id): """Checks if a role has been assigned to a trust.""" trust = self.trust_api.get_trust(context, trust_id) if not trust: raise exception.TrustNotFound(trust_id) user_id = self._get_user_id(context) _admin_trustor_trustee_only(context, trust, user_id) matching_roles = [x for x in trust['roles'] if x['id'] == role_id] if not matching_roles: raise exception.RoleNotFound(role_id=role_id)
def delete_role(self, role_id): session = self.get_session() try: ref = session.query(Role).filter_by(id=role_id).one() except sql.NotFound: raise exception.RoleNotFound(role_id=role_id) with session.begin(): for metadata_ref in session.query(UserProjectGrant): try: self.delete_grant(role_id, user_id=metadata_ref.user_id, project_id=metadata_ref.project_id) except exception.RoleNotFound: pass for metadata_ref in session.query(UserDomainGrant): try: self.delete_grant(role_id, user_id=metadata_ref.user_id, domain_id=metadata_ref.domain_id) except exception.RoleNotFound: pass for metadata_ref in session.query(GroupProjectGrant): try: self.delete_grant(role_id, group_id=metadata_ref.group_id, project_id=metadata_ref.project_id) except exception.RoleNotFound: pass for metadata_ref in session.query(GroupDomainGrant): try: self.delete_grant(role_id, group_id=metadata_ref.group_id, domain_id=metadata_ref.domain_id) except exception.RoleNotFound: pass if not session.query(Role).filter_by(id=role_id).delete(): raise exception.RoleNotFound(role_id=role_id) session.delete(ref) session.flush()
def update_role(self, role_id, role): session = self.get_session() with session.begin(): role_ref = session.query(Role).filter_by(id=role_id).first() if role_ref is None: raise exception.RoleNotFound(role_id=role_id) for k in role: role_ref[k] = role[k] session.flush() return role_ref
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id): with sql.transaction() as session: q = session.query(RoleAssignment) q = q.filter_by(actor_id=user_id) q = q.filter_by(target_id=tenant_id) q = q.filter_by(role_id=role_id) if q.delete() == 0: raise exception.RoleNotFound(message=_( 'Cannot remove role that has not been granted, %s') % role_id)
def get_role_for_trust(self, request, trust_id, role_id): """Get a role that has been assigned to a trust.""" trust = self.trust_api.get_trust(trust_id) _trustor_trustee_only(trust, request.context.user_id) if not any(role['id'] == role_id for role in trust['roles']): raise exception.RoleNotFound(role_id=role_id) role = self.role_api.get_role(role_id) return assignment.controllers.RoleV3.wrap_member( request.context_dict, role)
def delete_user(self, role_dn, user_dn, tenant_dn, user_id, role_id): conn = self.get_connection() try: conn.modify_s(role_dn, [(ldap.MOD_DELETE, self.member_attribute, user_dn)]) except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): raise exception.RoleNotFound( message=_('Cannot remove role that has not been granted, %s') % role_id) finally: conn.unbind_s()
def get(self, trust_id, role_id): """Get a role that has been assigned to a trust.""" ENFORCER.enforce_call(action='identity:get_role_for_trust') trust = PROVIDERS.trust_api.get_trust(trust_id) _trustor_trustee_only(trust) if not any(role['id'] == role_id for role in trust['roles']): raise exception.RoleNotFound(role_id=role_id) role = PROVIDERS.role_api.get_role(role_id) return ks_flask.ResourceBase.wrap_member(role, collection_name='roles', member_name='role')
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id): try: metadata_ref = self.get_metadata(user_id, tenant_id) roles = set(metadata_ref.get('roles', [])) if role_id not in roles: msg = _('Cannot remove role that has not been granted, %s' % role_id) raise exception.RoleNotFound(message=msg) roles.remove(role_id) metadata_ref['roles'] = list(roles) if len(roles): self.update_metadata(user_id, tenant_id, metadata_ref) else: session = self.get_session() q = session.query(UserProjectGrant) q = q.filter_by(project_id=tenant_id) q.delete() except exception.MetadataNotFound: msg = 'Cannot remove role that has not been granted, %s' % role_id raise exception.RoleNotFound(message=msg)
def update(self, role_id, role): if role['id'] != role_id: raise exception.ValidationError('Cannot change role ID') try: old_name = self.get_by_name(role['name']) raise exception.Conflict('Cannot duplicate name %s' % role['name']) except exception.NotFound: pass try: super(RoleApi, self).update(role_id, role) except exception.NotFound: raise exception.RoleNotFound(role_id=role_id)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): metadata_ref = self.get_metadata(user_id, tenant_id) if not metadata_ref: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) if role_id not in roles: msg = 'Cannot remove role that has not been granted, %s' % role_id raise exception.RoleNotFound(message=msg) roles.remove(role_id) metadata_ref['roles'] = list(roles) self.update_metadata(user_id, tenant_id, metadata_ref)
def get_access_token_role(self, context, user_id, access_token_id, role_id): access_token = self.oauth_api.get_access_token(access_token_id) if access_token['authorizing_user_id'] != user_id: raise exception.Unauthorized(_('User IDs do not match')) roles = access_token['requested_roles'] roles_dict = jsonutils.loads(roles) for role in roles_dict: if role['id'] == role_id: role = self._format_role_entity(role) return AccessTokenRolesV3.wrap_member(context, role) raise exception.RoleNotFound(_('Could not find role'))
def get_access_token_role(self, context, user_id, access_token_id, role_id): access_token = self.oauth_api.get_access_token(access_token_id) if access_token['authorizing_user_id'] != user_id: raise exception.Unauthorized(_('User IDs do not match')) authed_role_ids = access_token['role_ids'] authed_role_ids = jsonutils.loads(authed_role_ids) for authed_role_id in authed_role_ids: if authed_role_id == role_id: role = self._format_role_entity(role_id) return AccessTokenRolesV3.wrap_member(context, role) raise exception.RoleNotFound(_('Could not find role'))
def get(self, trust_id, role_id): """Get a role that has been assigned to a trust.""" ENFORCER.enforce_call(action='identity:get_role_for_trust') trust = PROVIDERS.trust_api.get_trust(trust_id) _trustor_trustee_only(trust) if not any(role['id'] == role_id for role in trust['roles']): raise exception.RoleNotFound(role_id=role_id) role = PROVIDERS.role_api.get_role(role_id) # TODO(morgan): Correct this to allow for local member wrapping of # RoleV3. return assignment.controllers.RoleV3.wrap_member( {'environment': flask.request.environ}, role)
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): with sql.transaction() as session: q = self._build_grant_filter(session, role_id, user_id, group_id, domain_id, project_id, inherited_to_projects) if not q.delete(False): raise exception.RoleNotFound(role_id=role_id)
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id): try: metadata_ref = self._get_metadata(user_id, tenant_id) try: metadata_ref['roles'] = self._remove_role_from_role_dicts( role_id, False, metadata_ref.get('roles', [])) except KeyError: raise exception.RoleNotFound(message=_( 'Cannot remove role that has not been granted, %s') % role_id) if len(metadata_ref['roles']): self._update_metadata(user_id, tenant_id, metadata_ref) else: session = self.get_session() q = session.query(UserProjectGrant) q = q.filter_by(user_id=user_id) q = q.filter_by(project_id=tenant_id) q.delete() except exception.MetadataNotFound: msg = 'Cannot remove role that has not been granted, %s' % role_id raise exception.RoleNotFound(message=msg)
def create_trust(self, context, trust=None): """Create a new trust. The user creating the trust must be the trustor. """ # TODO(ayoung): instead of raising ValidationError on the first # problem, return a collection of all the problems. if not trust: raise exception.ValidationError(attribute='trust', target='request') try: user_id = self._get_user_id(context) _trustor_only(context, trust, user_id) #confirm that the trustee exists trustee_ref = self.identity_api.get_user(trust['trustee_user_id']) if not trustee_ref: raise exception.UserNotFound(user_id=trust['trustee_user_id']) all_roles = self.assignment_api.list_roles() clean_roles = self._clean_role_list(context, trust, all_roles) if trust.get('project_id'): user_role = self.assignment_api.get_roles_for_user_and_project( user_id, trust['project_id']) else: user_role = [] for trust_role in clean_roles: matching_roles = [x for x in user_role if x == trust_role['id']] if not matching_roles: raise exception.RoleNotFound(role_id=trust_role['id']) if trust.get('expires_at') is not None: if not trust['expires_at'].endswith('Z'): trust['expires_at'] += 'Z' try: trust['expires_at'] = (timeutils.parse_isotime (trust['expires_at'])) except ValueError: raise exception.ValidationTimeStampError() trust_id = uuid.uuid4().hex new_trust = self.trust_api.create_trust(trust_id, trust, clean_roles) self._fill_in_roles(context, new_trust, all_roles) return TrustV3.wrap_member(context, new_trust) except KeyError as e: raise exception.ValidationError(attribute=e.args[0], target='trust')
def default_roles(self): if not self._default_roles: with sql.transaction() as session: query = session.query(sql_role.RoleTable) query = query.filter(sql_role.RoleTable.name.in_( CONF.ldap_hybrid.default_roles)) role_refs = query.all() if len(role_refs) != len(CONF.ldap_hybrid.default_roles): raise exception.RoleNotFound( message=_('Could not find one or more roles: %s') % ', '.join(CONF.ldap_hybrid.default_roles)) self._default_roles = [role_ref.id for role_ref in role_refs] return self._default_roles