def get_trust(self, context, trust_id):
user_id = self._get_user_id(context)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
_admin_trustor_trustee_only(context, trust, user_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
if (user_id != trust['trustor_user_id']
and user_id != trust['trustee_user_id']):
raise exception.Forbidden()
self._fill_in_roles(context, trust, self.assignment_api.list_roles())
return TrustV3.wrap_member(context, trust)
def list_roles_for_trust(self, context, trust_id):
trust = self.get_trust(context, trust_id)['trust']
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
return {'roles': trust['roles'], 'links': trust['roles_links']}
def delete_trust(self, trust_id):
try:
ref = self.db.get('trust-%s' % trust_id)
except exception.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
ref['deleted'] = True
self.db.set('trust-%s' % trust_id, ref)
def delete_trust(self, trust_id):
"""Remove a trust.
:raises: keystone.exception.TrustNotFound
Recursively remove given and redelegated trusts
"""
trust = self.driver.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
trusts = self.driver.list_trusts_for_trustor(trust['trustor_user_id'])
for t in trusts:
if t.get('redelegated_trust_id') == trust_id:
# recursive call to make sure all notifications are sent
try:
self.delete_trust(t['id'])
except exception.TrustNotFound:
# if trust was deleted by concurrent process
# consistency must not suffer
pass
# end recursion
self.driver.delete_trust(trust_id)
def delete_trust(self, trust_id):
session = db_session.get_session()
with session.begin():
trust_ref = session.query(TrustModel).get(trust_id)
if not trust_ref:
raise exception.TrustNotFound(trust_id=trust_id)
trust_ref.deleted_at = timeutils.utcnow()
def get_trust(self, context, trust_id):
user_id = self._get_user_id(context)
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
_trustor_trustee_only(trust, user_id)
self._fill_in_roles(context, trust, self.assignment_api.list_roles())
return TrustV3.wrap_member(context, trust)
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
self.trust_api.delete_trust(trust_id)
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
initiator = notifications._get_request_audit_info(context)
self.trust_api.delete_trust(trust_id, initiator)
def check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
def _lookup_trust(self, trust_info):
trust_id = trust_info.get('id')
if not trust_id:
raise exception.ValidationError(attribute='trust_id',
target='trust')
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
return trust
def delete_trust(self, trust_id):
session = self.get_session()
with session.begin():
try:
trust_ref = (session.query(TrustModel).
filter_by(id=trust_id).one())
except sql.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
trust_ref.deleted_at = timeutils.utcnow()
session.flush()
def check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_trustee_only(context, trust, user_id)
matching_roles = [x for x in trust['roles'] if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
def get_trust(self, trust_id, deleted=False):
with sql.session_for_read() as session:
query = session.query(TrustModel).filter_by(id=trust_id)
if not deleted:
query = query.filter_by(deleted_at=None)
ref = query.first()
if ref is None:
raise exception.TrustNotFound(trust_id=trust_id)
if ref.expires_at is not None and not deleted:
now = timeutils.utcnow()
if now > ref.expires_at:
raise exception.TrustNotFound(trust_id=trust_id)
# Do not return trusts that can't be used anymore
if ref.remaining_uses is not None and not deleted:
if ref.remaining_uses <= 0:
raise exception.TrustNotFound(trust_id=trust_id)
trust_dict = ref.to_dict()
self._add_roles(trust_id, session, trust_dict)
return trust_dict
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
self.trust_api.delete_trust(trust_id)
userid = trust['trustor_user_id']
token_list = self.token_api.list_tokens(userid, trust_id=trust_id)
for token in token_list:
self.token_api.delete_token(token)
def consume_use(self, trust_id):
with sql.transaction() as session:
ref = (session.query(TrustModel).with_lockmode('update').filter_by(
deleted_at=None).filter_by(id=trust_id).first())
if ref is None:
raise exception.TrustNotFound(trust_id=trust_id)
if ref.remaining_uses is None:
# unlimited uses, do nothing
pass
elif ref.remaining_uses > 0:
ref.remaining_uses -= 1
else:
raise exception.TrustUseLimitReached(trust_id=trust_id)
def consume_use(self, trust_id):
try:
orig_ref = self.db.get('trust-%s' % trust_id)
except exception.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
remaining_uses = orig_ref.get('remaining_uses')
if remaining_uses is None:
# unlimited uses, do nothing
return
elif remaining_uses > 0:
ref = copy.deepcopy(orig_ref)
ref['remaining_uses'] -= 1
self.db.set('trust-%s' % trust_id, ref)
else:
raise exception.TrustUseLimitReached(trust_id=trust_id)
def consume_use(self, trust_id):
for attempt in range(MAXIMUM_CONSUME_ATTEMPTS):
with sql.transaction() as session:
try:
query_result = (session.query(TrustModel.remaining_uses).
filter_by(id=trust_id).
filter_by(deleted_at=None).one())
except sql.NotFound:
raise exception.TrustNotFound(trust_id=trust_id)
remaining_uses = query_result.remaining_uses
if remaining_uses is None:
# unlimited uses, do nothing
break
elif remaining_uses > 0:
# NOTE(morganfainberg): use an optimistic locking method
# to ensure we only ever update a trust that has the
# expected number of remaining uses.
rows_affected = (
session.query(TrustModel).
filter_by(id=trust_id).
filter_by(deleted_at=None).
filter_by(remaining_uses=remaining_uses).
update({'remaining_uses': (remaining_uses - 1)},
synchronize_session=False))
if rows_affected == 1:
# Successfully consumed a single limited-use trust.
# Since trust_id is the PK on the Trust table, there is
# no case we should match more than 1 row in the
# update. We either update 1 row or 0 rows.
break
else:
raise exception.TrustUseLimitReached(trust_id=trust_id)
# NOTE(morganfainberg): Ensure we have a yield point for eventlet
# here. This should cost us nothing otherwise. This can be removed
# if/when oslo_db cleanly handles yields on db calls.
time.sleep(0)
else:
# NOTE(morganfainberg): In the case the for loop is not prematurely
# broken out of, this else block is executed. This means the trust
# was not unlimited nor was it consumed (we hit the maximum
# iteration limit). This is just an indicator that we were unable
# to get the optimistic lock rather than silently failing or
# incorrectly indicating a trust was consumed.
raise exception.TrustConsumeMaximumAttempt(trust_id=trust_id)
def get_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_trustee_only(context, trust, user_id)
matching_roles = [x for x in trust['roles'] if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
global_roles = self.identity_api.list_roles(context)
matching_roles = [x for x in global_roles if x['id'] == role_id]
if matching_roles:
full_role = (identity.controllers.RoleV3.wrap_member(
context, matching_roles[0]))
return full_role
else:
raise exception.RoleNotFound(role_id=role_id)
def delete_trust(self, trust_id):
with sql.session_for_write() as session:
trust_ref = session.query(TrustModel).get(trust_id)
if not trust_ref:
raise exception.TrustNotFound(trust_id=trust_id)
trust_ref.deleted_at = timeutils.utcnow()
