def list_users_in_group(self, group_id):
self.get_group(group_id)
user_keys = filter(lambda x: x.startswith("user-"), self.db.keys())
user_refs = [self.db.get(key) for key in user_keys]
user_refs_for_group = filter(lambda x: group_id in x['groups'],
user_refs)
return [identity.filter_user(x) for x in user_refs_for_group]
def create_user(self, user_id, user):
user = utils.hash_user_password(user)
session = sql.get_session()
with session.begin():
user_ref = User.from_dict(user)
session.add(user_ref)
return identity.filter_user(user_ref.to_dict())
def create_user(self, user_id, user):
user['name'] = clean.user_name(user['name'])
try:
self.get_user(user_id)
except exception.UserNotFound:
pass
else:
msg = 'Duplicate ID, %s.' % user_id
raise exception.Conflict(type='user', details=msg)
try:
self.get_user_by_name(user['name'], user['domain_id'])
except exception.UserNotFound:
pass
else:
msg = 'Duplicate name, %s.' % user['name']
raise exception.Conflict(type='user', details=msg)
user = utils.hash_user_password(user)
new_user = user.copy()
new_user.setdefault('groups', [])
self.db.set('user-%s' % user_id, new_user)
self.db.set('user_name-%s' % new_user['name'], new_user)
user_list = set(self.db.get('user_list', []))
user_list.add(user_id)
self.db.set('user_list', list(user_list))
return identity.filter_user(new_user)
def list_users_in_group(self, group_id, hints):
session = sql.get_session()
self.get_group(group_id)
query = session.query(User).join(UserGroupMembership)
query = query.filter(UserGroupMembership.group_id == group_id)
query = sql.filter_limit_query(User, query, hints)
return [identity.filter_user(u.to_dict()) for u in query]
def create_user(self, user_id, user):
try:
self.get_user(user_id)
except exception.UserNotFound:
pass
else:
msg = _('Duplicate ID, %s.') % user_id
raise exception.Conflict(type='user', details=msg)
try:
self.get_user_by_name(user['name'], user['domain_id'])
except exception.UserNotFound:
pass
else:
msg = _('Duplicate name, %s.') % user['name']
raise exception.Conflict(type='user', details=msg)
user = utils.hash_user_password(user)
new_user = user.copy()
new_user.setdefault('groups', [])
self.db.set('user-%s' % user_id, new_user)
domain_id = user['domain_id']
user_name_key = self._calc_user_name_key(new_user['name'], domain_id)
self.db.set(user_name_key, new_user)
self._user_id_to_domain_id.notify_user_created(user_id, domain_id)
user_list = set(self.db.get('user_list', []))
user_list.add(user_id)
self.db.set('user_list', list(user_list))
return identity.filter_user(new_user)
def list_users_in_group(self, group_id, hints):
self.get_group(group_id)
user_keys = (k for k in self.db.keys() if k.startswith('user-'))
user_refs = (self.db.get(key) for key in user_keys)
user_refs_for_group = (ref for ref in user_refs
if group_id in ref['groups'])
return [identity.filter_user(x) for x in user_refs_for_group]
def get_user_by_name(self, user_name, domain_id):
# TODO(henry-nash): Use domain_id once domains are implemented
# in LDAP backend
try:
return identity.filter_user(self.user.get_by_name(user_name))
except exception.NotFound:
raise exception.UserNotFound(user_id=user_name)
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
user_ref = None
tenant_ref = None
metadata_ref = {}
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not self._check_password(password, user_ref):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def create_user(self, user_id, user):
user = self.assignment_api._validate_default_domain(user)
user_ref = self.user.create(user)
tenant_id = user.get('tenant_id')
if tenant_id is not None:
self.assignment_api.add_user_to_project(tenant_id, user_id)
return (self.assignment_api._set_default_domain
(identity.filter_user(user_ref)))
def list_users_in_group(self, group_id, hints):
with sql.session_for_read() as session:
self.get_group(group_id)
query = session.query(User).outerjoin(LocalUser)
query = query.join(UserGroupMembership)
query = query.filter(UserGroupMembership.group_id == group_id)
query = sql.filter_limit_query(User, query, hints)
return [identity.filter_user(u.to_dict()) for u in query]
def get_project_users(self, tenant_id):
session = self.get_session()
self.get_project(tenant_id)
query = session.query(User)
query = query.join(UserProjectMembership)
query = query.filter(UserProjectMembership.tenant_id == tenant_id)
user_refs = query.all()
return [identity.filter_user(user_ref.to_dict()) for user_ref in user_refs]
def create_user(self, user_id, user):
user = self._validate_domain(user)
user_ref = self.user.create(user)
tenant_id = user.get('tenant_id')
user_dn = self.user._id_to_dn(user['id'])
if tenant_id is not None:
self.project.add_user(tenant_id, user_dn)
return self._set_default_domain(identity.filter_user(user_ref))
def create_user(self, user_id, user):
user['name'] = clean.user_name(user['name'])
user = utils.hash_user_password(user)
session = self.get_session()
with session.begin():
user_ref = User.from_dict(user)
session.add(user_ref)
session.flush()
return identity.filter_user(user_ref.to_dict())
def authenticate(self, user_id, password):
user_ref = None
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not utils.check_password(password, user_ref.get('password')):
raise AssertionError(_('Invalid user / password'))
return identity.filter_user(user_ref)
def get_project_users(self, tenant_id):
session = self.get_session()
self.get_project(tenant_id)
user_refs = []
for user_id in self.get_project_user_ids(tenant_id):
query = session.query(User)
query = query.filter(User.id == user_id)
user_ref = query.first()
user_refs.append(identity.filter_user(user_ref.to_dict()))
return user_refs
def get_user_by_name(self, user_name, domain_id):
LOG.debug("Called get_user_by_name %s, %s" % (user_name, domain_id))
# try SQL first
try:
user = super(Identity, self).get_user_by_name(user_name, domain_id)
except exception.UserNotFound:
# then try LDAP
return identity.filter_user(self.user.get_by_name(user_name))
else:
return user
def get_user(self, user_id):
LOG.debug("Called get_user %s" % user_id)
with sql.session_for_read() as session:
user = self._get_user(session, user_id)
try:
user = user.to_dict()
except AttributeError:
# LDAP Users are already dicts which is fine
pass
return identity.filter_user(user)
def authenticate(self, user_id, password):
session = sql.get_session()
user_ref = None
try:
user_ref = self._get_user(session, user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not self._check_password(password, user_ref):
raise AssertionError(_('Invalid user / password'))
return identity.filter_user(user_ref.to_dict())
def get_user_by_name(self, user_name, domain_id):
session = sql.get_session()
query = session.query(User)
query = query.filter_by(name=user_name)
query = query.filter_by(domain_id=domain_id)
try:
user_ref = query.one()
except sql.NotFound:
raise exception.UserNotFound(user_id=user_name)
return identity.filter_user(user_ref.to_dict())
def get_user_by_name(self, user_name, domain_id):
with sql.session_for_read() as session:
query = session.query(User).join(LocalUser)
query = query.filter(sqlalchemy.and_(LocalUser.name == user_name,
LocalUser.domain_id == domain_id))
try:
user_ref = query.one()
except sql.NotFound:
raise exception.UserNotFound(user_id=user_name)
return identity.filter_user(user_ref.to_dict())
def create_federated_user(self, federated_dict):
user = {
'id': uuid.uuid4().hex,
'enabled': True
}
with sql.session_for_write() as session:
federated_ref = model.FederatedUser.from_dict(federated_dict)
user_ref = model.User.from_dict(user)
user_ref.federated_users.append(federated_ref)
session.add(user_ref)
return identity.filter_user(user_ref.to_dict())
def create_user(self, user_id, user):
user["name"] = clean.user_name(user["name"])
if "enabled" not in user:
user["enabled"] = True
user = utils.hash_user_password(user)
session = self.get_session()
with session.begin():
user_ref = User.from_dict(user)
session.add(user_ref)
session.flush()
return identity.filter_user(user_ref.to_dict())
def list_users_in_group(self, group_id, hints):
# TODO(henry-nash) We could implement full filtering here by enhancing
# the join below. However, since it is likely to be a fairly rare
# occurrence to filter on more than the group_id already being used
# here, this is left as future enhancement and until then we leave
# it for the controller to do for us.
session = sql.get_session()
self.get_group(group_id)
query = session.query(User).join(UserGroupMembership)
query = query.filter(UserGroupMembership.group_id == group_id)
return [identity.filter_user(u.to_dict()) for u in query]
def update_user(self, user_id, user):
with sql.session_for_write() as session:
user_ref = self._get_user(session, user_id)
old_user_dict = user_ref.to_dict()
user = utils.hash_user_password(user)
for k in user:
old_user_dict[k] = user[k]
new_user = User.from_dict(old_user_dict)
for attr in User.attributes:
if attr != 'id':
setattr(user_ref, attr, getattr(new_user, attr))
user_ref.extra = new_user.extra
return identity.filter_user(
user_ref.to_dict(include_extra_dict=True))
def authenticate(self, user_id, password):
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not user_id or not password:
raise AssertionError('Invalid user / password')
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
if not conn:
raise AssertionError('Invalid user / password')
except Exception:
raise AssertionError('Invalid user / password')
return identity.filter_user(user_ref)
def authorize_for_project(self, user_ref, tenant_id=None):
user_id = user_ref['id']
tenant_ref = None
metadata_ref = {}
if tenant_id is not None:
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def authenticate(self, user_id=None, password=None):
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not user_id or not password:
raise AssertionError('Invalid user / password')
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
if not conn:
raise AssertionError('Invalid user / password')
except Exception:
raise AssertionError('Invalid user / password')
return self.assignment_api._set_default_domain(
identity.filter_user(user_ref))
def update_user(self, user_id, user):
session = db_session.get_session()
if 'id' in user and user_id != user['id']:
raise exception.ValidationError(_('Cannot change user ID'))
with session.begin():
user_ref = self._get_user(session, user_id)
old_user_dict = user_ref.to_dict()
user = utils.hash_user_password(user)
for k in user:
old_user_dict[k] = user[k]
new_user = User.from_dict(old_user_dict)
for attr in User.attributes:
if attr != 'id':
setattr(user_ref, attr, getattr(new_user, attr))
user_ref.extra = new_user.extra
return identity.filter_user(user_ref.to_dict(include_extra_dict=True))
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
user_ref = None
tenant_ref = None
metadata_ref = {}
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not self._check_password(password, user_ref):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
# FIXME(gyee): this should really be
# get_roles_for_user_and_project() after the dusts settle
if tenant_id not in self.get_projects_for_user(user_id):
# get_roles_for_user_and_project() returns a set
roles = []
try:
roles = self.get_roles_for_user_and_project(user_id,
tenant_id)
except:
# FIXME(gyee): we should never get into this situation
# after user project role migration is completed
pass
if not roles:
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def authenticate(self, user_id, password):
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError("Invalid user / password")
if not user_id or not password:
raise AssertionError("Invalid user / password")
conn = None
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id), password)
if not conn:
raise AssertionError("Invalid user / password")
except Exception:
raise AssertionError("Invalid user / password")
finally:
if conn:
conn.unbind_s()
return identity.filter_user(user_ref)
def authenticate(self, user_id, password):
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not user_id or not password:
raise AssertionError(_('Invalid user / password'))
conn = None
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
if not conn:
raise AssertionError(_('Invalid user / password'))
except Exception:
raise AssertionError(_('Invalid user / password'))
finally:
if conn:
conn.unbind_s()
return identity.filter_user(user_ref)
def update_user(self, user_id, user):
if 'name' in user:
user['name'] = clean.user_name(user['name'])
session = self.get_session()
if 'id' in user and user_id != user['id']:
raise exception.ValidationError('Cannot change user ID')
with session.begin():
user_ref = session.query(User).filter_by(id=user_id).first()
if user_ref is None:
raise exception.UserNotFound(user_id=user_id)
old_user_dict = user_ref.to_dict()
user = utils.hash_user_password(user)
for k in user:
old_user_dict[k] = user[k]
new_user = User.from_dict(old_user_dict)
user_ref.name = new_user.name
user_ref.extra = new_user.extra
session.flush()
return identity.filter_user(user_ref.to_dict(include_extra_dict=True))
def update_user(self, user_id, user):
if 'name' in user:
existing = self.db.get('user_name-%s' % user['name'], False)
if existing and user_id != existing['id']:
msg = 'Duplicate name, %s.' % user['name']
raise exception.Conflict(type='user', details=msg)
# get the old name and delete it too
try:
old_user = self.db.get('user-%s' % user_id)
except exception.NotFound:
raise exception.UserNotFound(user_id=user_id)
new_user = old_user.copy()
user = utils.hash_user_password(user)
new_user.update(user)
if new_user['id'] != user_id:
raise exception.ValidationError('Cannot change user ID')
self.db.delete('user_name-%s' % old_user['name'])
self.db.set('user-%s' % user_id, new_user)
self.db.set('user_name-%s' % new_user['name'], new_user)
return identity.filter_user(new_user)
def update_user(self, user_id, user):
try:
domain_id = self._user_id_to_domain_id.get(user_id)
except exception.NotFound:
raise exception.UserNotFound(user_id=user_id)
if 'name' in user:
user_key = self._calc_user_name_key(user['name'], domain_id)
existing = self.db.get(user_key, False)
if existing and user_id != existing['id']:
msg = _('Duplicate name, %s.') % user['name']
raise exception.Conflict(type='user', details=msg)
# get the old name and delete it too
old_user = self.db.get('user-%s' % user_id)
new_user = old_user.copy()
user = utils.hash_user_password(user)
new_user.update(user)
self.db.delete(self._calc_user_name_key(old_user['name'], domain_id))
self.db.set('user-%s' % user_id, new_user)
user_name_key = self._calc_user_name_key(new_user['name'], domain_id)
self.db.set(user_name_key, new_user)
return identity.filter_user(new_user)
def authorize_for_project(self, user_ref, tenant_id=None):
user_id = user_ref['id']
tenant_ref = None
metadata_ref = {}
if tenant_id is not None:
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_project(tenant_id)
# TODO(termie): this should probably be made into a
# get roles call
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
user_ref = self._set_default_domain(identity.filter_user(user_ref))
return (user_ref, tenant_ref, metadata_ref)
def update_user(self, user_id, user):
if 'name' in user:
user['name'] = clean.user_name(user['name'])
if 'enabled' in user:
user['enabled'] = clean.user_enabled(user['enabled'])
session = self.get_session()
if 'id' in user and user_id != user['id']:
raise exception.ValidationError('Cannot change user ID')
with session.begin():
user_ref = self._get_user(session, user_id)
old_user_dict = user_ref.to_dict()
user = utils.hash_user_password(user)
for k in user:
old_user_dict[k] = user[k]
new_user = User.from_dict(old_user_dict)
for attr in User.attributes:
if attr != 'id':
setattr(user_ref, attr, getattr(new_user, attr))
user_ref.extra = new_user.extra
session.flush()
return identity.filter_user(user_ref.to_dict(include_extra_dict=True))
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
tenant_ref = None
metadata_ref = {}
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
try:
conn = self.user.get_connection(self.user._id_to_dn(user_id),
password)
if not conn:
raise AssertionError('Invalid user / password')
except Exception:
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_project(tenant_id)
# TODO(termie): this should probably be made into a
# get roles call
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
user_ref = self._set_default_domain(identity.filter_user(user_ref))
return (user_ref, tenant_ref, metadata_ref)
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
session = self.get_session()
user_ref = None
tenant_ref = None
metadata_ref = {}
try:
user_ref = self._get_user(session, user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not self._check_password(password, user_ref):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
# FIXME(gyee): this should really be
# get_roles_for_user_and_project() after the dusts settle
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid project')
try:
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
user_ref = identity.filter_user(user_ref.to_dict())
return (user_ref, tenant_ref, metadata_ref)
def create_user(self, user_id, user):
user['name'] = clean.user_name(user['name'])
return identity.filter_user(self.user.create(user))
def get_federated_user(self, idp_id, protocol_id, unique_id):
user_ref = self._get_federated_user(idp_id, protocol_id, unique_id)
return identity.filter_user(user_ref.to_dict())
def create_user(self, user_id, user):
user_ref = self.user.create(user)
tenant_id = user.get('tenant_id')
if tenant_id is not None:
self.assignment_api.add_user_to_project(tenant_id, user_id)
return identity.filter_user(user_ref)
def get_user(self, user_id):
session = sql.get_session()
return identity.filter_user(self._get_user(session, user_id).to_dict())
def filter_attributes(self, user):
return identity.filter_user(common_ldap.filter_entity(user))
def get_all_filtered(self):
return [identity.filter_user(user) for user in self.get_all()]
def get_user(self, user_id):
LOG.debug("Called get_user %s" % user_id)
user_ref = identity.filter_user(self._get_user(user_id))
return _set_default_domain(user_ref)
def get_project_users(self, tenant_id):
self.get_project(tenant_id)
user_keys = filter(lambda x: x.startswith("user-"), self.db.keys())
user_refs = [self.db.get(key) for key in user_keys]
user_refs = filter(lambda x: tenant_id in x['tenants'], user_refs)
return [identity.filter_user(user_ref) for user_ref in user_refs]
def create_user(self, user_id, user):
user = self._validate_domain(user)
user['name'] = clean.user_name(user['name'])
user['enabled'] = clean.user_enabled(user.get('enabled', True))
user_ref = self.user.create(user)
return self._set_default_domain(identity.filter_user(user_ref))
def list_users(self):
session = self.get_session()
user_refs = session.query(User)
return [identity.filter_user(x.to_dict()) for x in user_refs]
def create_user(self, user_id, user):
self.user.check_allow_create()
user_ref = self.user.create(user)
return identity.filter_user(user_ref)
def get_user_by_name(self, user_name, domain_id):
# domain_id will already have been handled in the Manager layer,
# parameter left in so this matches the Driver specification
return identity.filter_user(self.user.get_by_name(user_name))
def get_user_by_name(self, user_name, domain_id):
# TODO(henry-nash): Use domain_id once domains are implemented
# in LDAP backend
return identity.filter_user(self.user.get_by_name(user_name))
def get_user_by_name(self, user_name, domain_id):
self._validate_domain_id(domain_id)
ref = identity.filter_user(self.user.get_by_name(user_name))
return self._set_default_domain(ref)
def get_user(self, user_id):
with sql.session_for_read() as session:
return identity.filter_user(
self._get_user(session, user_id).to_dict())
def get_user(self, user_id):
ref = identity.filter_user(self._get_user(user_id))
return self._set_default_domain(ref)
def get_filtered(self, user_id):
user = self.get(user_id)
return identity.filter_user(user)
def list_users(self, hints):
session = sql.get_session()
query = session.query(User)
user_refs = sql.filter_limit_query(User, query, hints)
return [identity.filter_user(x.to_dict()) for x in user_refs]
def get_user(self, user_id):
return identity.filter_user(self._get_user(user_id))
def get_user_by_name(self, user_name, domain_id):
return identity.filter_user(
self._get_user_by_name(user_name, domain_id))
def create_user(self, user_id, user):
user_ref = self.user.create(user)
return identity.filter_user(user_ref)
def get_user_by_name(self, user_name):
return identity.filter_user(self._get_user_by_name(user_name))
