def list_implied_roles(self, prior_role_id):
with sql.session_for_read() as session:
query = session.query(
ImpliedRoleTable).filter(
ImpliedRoleTable.prior_role_id == prior_role_id)
refs = query.all()
return [ref.to_dict() for ref in refs]
def list_users(self, hints):
with sql.session_for_read() as session:
query = session.query(model.User).outerjoin(model.LocalUser)
query, hints = self._create_password_expires_query(session, query,
hints)
user_refs = sql.filter_limit_query(model.User, query, hints)
return [base.filter_user(x.to_dict()) for x in user_refs]
def list_application_credentials_for_user(self, user_id, hints):
with sql.session_for_read() as session:
query = session.query(ApplicationCredentialModel)
query = sql.filter_limit_query(ApplicationCredentialModel, query,
hints)
app_creds = query.filter_by(user_id=user_id)
return [self._to_dict(ref) for ref in app_creds]
def get_federated_users(self, hints):
with sql.session_for_read() as session:
query = session.query(model.User).outerjoin(model.LocalUser)
query = query.filter(model.User.id == model.FederatedUser.user_id)
query = self._update_query_with_federated_statements(hints, query)
user_refs = sql.filter_limit_query(model.User, query, hints)
return [identity_base.filter_user(x.to_dict()) for x in user_refs]
def list_groups_for_user(self, user_id, hints):
with sql.session_for_read() as session:
self.get_user(user_id)
query = session.query(Group).join(UserGroupMembership)
query = query.filter(UserGroupMembership.user_id == user_id)
query = sql.filter_limit_query(Group, query, hints)
return [g.to_dict() for g in query]
def list_domain_ids_for_user(self, user_id, group_ids, hints,
inherited=False):
with sql.session_for_read() as session:
query = session.query(RoleAssignment.target_id)
filters = []
if user_id:
sql_constraints = sqlalchemy.and_(
RoleAssignment.actor_id == user_id,
RoleAssignment.inherited == inherited,
RoleAssignment.type == AssignmentType.USER_DOMAIN)
filters.append(sql_constraints)
if group_ids:
sql_constraints = sqlalchemy.and_(
RoleAssignment.actor_id.in_(group_ids),
RoleAssignment.inherited == inherited,
RoleAssignment.type == AssignmentType.GROUP_DOMAIN)
filters.append(sql_constraints)
if not filters:
return []
query = query.filter(sqlalchemy.or_(*filters)).distinct()
return [assignment.target_id for assignment in query.all()]
def check_project_depth(self, max_depth):
with sql.session_for_read() as session:
obj_list = []
# Using db table self outerjoin to find the project descendants.
#
# We'll only outerjoin the project table `max_depth` times to
# check whether current project tree exceed the max depth limit.
#
# For example:
#
# If max_depth is 2, we will take the outerjoin 2 times, then the
# SQL result may be like:
#
# +---- +-------------+-------------+-------------+
# | No. | project1_id | project2_id | project3_id |
# +--- -+-------------+-------------+-------------+
# | 1 | domain_x | | |
# +- ---+-------------+-------------+-------------+
# | 2 | project_a | | |
# +- ---+-------------+-------------+-------------+
# | 3 | domain_y | project_a | |
# +- ---+-------------+-------------+-------------+
# | 4 | project_b | project_c | |
# +- ---+-------------+-------------+-------------+
# | 5 | domain_y | project_b | project_c |
# +- ---+-------------+-------------+-------------+
#
# `project1_id` column is the root. It is a project or a domain.
# If `project1_id` is a project, there must exist a line that
# `project1` is its domain.
#
# We got 5 lines here. It includes three scenarios:
#
# 1). The No.1 line means there is a domain `domain_x` which has no
# children. The depth is 1.
#
# 2). The No.2 and No.3 lines mean project `project_a` has no child
# and its parent is domain `domain_y`. The depth is 2.
#
# 3). The No.4 and No.5 lines mean project `project_b` has a child
# `project_c` and its parent is domain `domain_y`. The depth is
# 3. This tree hit the max depth
#
# So we can see that if column "project3_id" has value, it means
# some trees hit the max depth limit.
for _ in range(max_depth + 1):
obj_list.append(orm.aliased(Project))
query = session.query(*obj_list)
for index in range(max_depth):
query = query.outerjoin(
obj_list[index + 1],
obj_list[index].id == obj_list[index + 1].parent_id)
exceeded_lines = query.filter(
obj_list[-1].id != expression.null())
if exceeded_lines:
return [line[max_depth].id for line in exceeded_lines]
def test_configured_algorithm_used(self):
with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session,
self.user_foo['id'])
self.assertEqual(
passlib.hash.scrypt,
password_hashing._get_hasher_from_ident(user_ref.password))
def test_password_hashed(self):
with sql.session_for_read() as session:
user_ref = PROVIDERS.identity_api._get_user(
session, self.user_foo['id']
)
self.assertNotEqual(self.user_foo['password'],
user_ref['password'])
def list_users_in_group(self, group_id, hints):
with sql.session_for_read() as session:
self.get_group(group_id)
query = session.query(User).outerjoin(LocalUser)
query = query.join(UserGroupMembership)
query = query.filter(UserGroupMembership.group_id == group_id)
query = sql.filter_limit_query(User, query, hints)
return [identity.filter_user(u.to_dict()) for u in query]
def get_token(self, token_id):
if token_id is None:
raise exception.TokenNotFound(token_id=token_id)
with sql.session_for_read() as session:
token_ref = session.query(TokenModel).get(token_id)
if not token_ref or not token_ref.valid:
raise exception.TokenNotFound(token_id=token_id)
return token_ref.to_dict()
def get_domain_by_name(self, domain_name):
with sql.session_for_read() as session:
try:
ref = (session.query(Domain).
filter_by(name=domain_name).one())
except sql.NotFound:
raise exception.DomainNotFound(domain_id=domain_name)
return ref.to_dict()
def list_projects_from_ids(self, ids):
if not ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(Project)
query = query.filter(Project.id.in_(ids))
return [project_ref.to_dict() for project_ref in query.all()]
def list_credentials_for_user(self, user_id, type=None):
with sql.session_for_read() as session:
query = session.query(CredentialModel)
query = query.filter_by(user_id=user_id)
if type:
query = query.filter_by(type=type)
refs = query.all()
return [ref.to_dict() for ref in refs]
def list_user_ids_for_project(self, tenant_id):
with sql.session_for_read() as session:
query = session.query(RoleAssignment.actor_id)
query = query.filter_by(type=AssignmentType.USER_PROJECT)
query = query.filter_by(target_id=tenant_id)
query = query.distinct('actor_id')
assignments = query.all()
return [assignment.actor_id for assignment in assignments]
def list_role_assignments(self, role_id=None,
user_id=None, group_ids=None,
domain_id=None, project_ids=None,
inherited_to_projects=None):
def denormalize_role(ref):
assignment = {}
if ref.type == AssignmentType.USER_PROJECT:
assignment['user_id'] = ref.actor_id
assignment['project_id'] = ref.target_id
elif ref.type == AssignmentType.USER_DOMAIN:
assignment['user_id'] = ref.actor_id
assignment['domain_id'] = ref.target_id
elif ref.type == AssignmentType.GROUP_PROJECT:
assignment['group_id'] = ref.actor_id
assignment['project_id'] = ref.target_id
elif ref.type == AssignmentType.GROUP_DOMAIN:
assignment['group_id'] = ref.actor_id
assignment['domain_id'] = ref.target_id
else:
raise exception.Error(message=_(
'Unexpected assignment type encountered, %s') %
ref.type)
assignment['role_id'] = ref.role_id
if ref.inherited:
assignment['inherited_to_projects'] = 'projects'
return assignment
with sql.session_for_read() as session:
assignment_types = self._get_assignment_types(
user_id, group_ids, project_ids, domain_id)
targets = None
if project_ids:
targets = project_ids
elif domain_id:
targets = [domain_id]
actors = None
if group_ids:
actors = group_ids
elif user_id:
actors = [user_id]
query = session.query(RoleAssignment)
if role_id:
query = query.filter_by(role_id=role_id)
if actors:
query = query.filter(RoleAssignment.actor_id.in_(actors))
if targets:
query = query.filter(RoleAssignment.target_id.in_(targets))
if assignment_types:
query = query.filter(RoleAssignment.type.in_(assignment_types))
if inherited_to_projects is not None:
query = query.filter_by(inherited=inherited_to_projects)
return [denormalize_role(ref) for ref in query.all()]
def list_grant_role_ids(self, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
with sql.session_for_read() as session:
q = session.query(RoleAssignment.role_id)
q = q.filter(RoleAssignment.actor_id == (user_id or group_id))
q = q.filter(RoleAssignment.target_id == (project_id or domain_id))
q = q.filter(RoleAssignment.inherited == inherited_to_projects)
return [x.role_id for x in q.all()]
def list_projects_in_domain(self, domain_id):
with sql.session_for_read() as session:
try:
self._get_project(session, domain_id)
except exception.ProjectNotFound:
raise exception.DomainNotFound(domain_id=domain_id)
query = session.query(Project)
project_refs = query.filter(Project.domain_id == domain_id)
return [project_ref.to_dict() for project_ref in project_refs]
def list_domains_from_ids(self, ids):
if not ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(Domain)
query = query.filter(Domain.id.in_(ids))
domain_refs = query.all()
return [domain_ref.to_dict() for domain_ref in domain_refs]
def list_roles_from_ids(self, ids):
if not ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(RoleTable)
query = query.filter(RoleTable.id.in_(ids))
role_refs = query.all()
return [role_ref.to_dict() for role_ref in role_refs]
def list_project_ids_from_domain_ids(self, domain_ids):
if not domain_ids:
return []
else:
with sql.session_for_read() as session:
query = session.query(Project.id)
query = (
query.filter(Project.domain_id.in_(domain_ids)))
return [x.id for x in query.all()]
def test_create_user_with_null_password(self):
user_dict = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id)
user_dict["password"] = None
new_user_dict = self.identity_api.create_user(user_dict)
with sql.session_for_read() as session:
new_user_ref = self.identity_api._get_user(session,
new_user_dict['id'])
self.assertFalse(new_user_ref.local_user.passwords)
def get_application_credential(self, application_credential_id):
with sql.session_for_read() as session:
query = session.query(ApplicationCredentialModel).filter_by(
id=application_credential_id)
ref = query.first()
if ref is None:
raise exception.ApplicationCredentialNotFound(
application_credential_id=application_credential_id)
app_cred_dict = self._to_dict(ref)
return app_cred_dict
def get_project_by_name(self, tenant_name, domain_id):
with sql.session_for_read() as session:
query = session.query(Project)
query = query.filter_by(name=tenant_name)
query = query.filter_by(domain_id=domain_id)
try:
project_ref = query.one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name)
return project_ref.to_dict()
def list_config_options(self, domain_id, group=None, option=None, sensitive=False):
with sql.session_for_read() as session:
config_table = self.choose_table(sensitive)
query = session.query(config_table)
query = query.filter_by(domain_id=domain_id)
if group:
query = query.filter_by(group=group)
if option:
query = query.filter_by(option=option)
return [ref.to_dict() for ref in query.all()]
def get_federated_user(self, idp_id, protocol_id, unique_id):
# NOTE(notmorgan): Open a session here to ensure .to_dict is called
# within an active session context. This will prevent lazy-load
# relationship failure edge-cases
# FIXME(notmorgan): Eventually this should not call `to_dict` here and
# rely on something already in the session context to perform the
# `to_dict` call.
with sql.session_for_read():
user_ref = self._get_federated_user(idp_id, protocol_id, unique_id)
return identity_base.filter_user(user_ref.to_dict())
def _list_last_fetch_events(self, last_fetch=None):
with sql.session_for_read() as session:
query = session.query(RevocationEvent).order_by(
RevocationEvent.revoked_at)
if last_fetch:
query = query.filter(RevocationEvent.revoked_at > last_fetch)
events = [revoke_model.RevokeEvent(**e.to_dict()) for e in query]
return events
def get_user_by_name(self, user_name, domain_id):
with sql.session_for_read() as session:
query = session.query(User).join(LocalUser)
query = query.filter(sqlalchemy.and_(LocalUser.name == user_name,
LocalUser.domain_id == domain_id))
try:
user_ref = query.one()
except sql.NotFound:
raise exception.UserNotFound(user_id=user_name)
return identity.filter_user(user_ref.to_dict())
def get_group_by_name(self, group_name, domain_id):
with sql.session_for_read() as session:
query = session.query(Group)
query = query.filter_by(name=group_name)
query = query.filter_by(domain_id=domain_id)
try:
group_ref = query.one()
except sql.NotFound:
raise exception.GroupNotFound(group_id=group_name)
return group_ref.to_dict()
def authenticate(self, user_id, password):
with sql.session_for_read() as session:
user_ref = None
try:
user_ref = self._get_user(session, user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not self._check_password(password, user_ref):
raise AssertionError(_('Invalid user / password'))
return identity.filter_user(user_ref.to_dict())
def list_trusts_for_trustor(self, trustor_user_id):
with sql.session_for_read() as session:
trusts = (session.query(TrustModel).filter_by(
deleted_at=None).filter_by(trustor_user_id=trustor_user_id))
return [trust_ref.to_dict() for trust_ref in trusts]
def get_request_token(self, request_token_id):
with sql.session_for_read() as session:
token_ref = self._get_request_token(session, request_token_id)
return token_ref.to_dict()
def list_access_tokens(self, user_id):
with sql.session_for_read() as session:
q = session.query(AccessToken)
user_auths = q.filter_by(authorizing_user_id=user_id)
return [base.filter_token(x.to_dict()) for x in user_auths]
def list_roles(self, hints):
with sql.session_for_read() as session:
query = session.query(RoleTable)
refs = sql.filter_limit_query(RoleTable, query, hints)
return [ref.to_dict() for ref in refs]
def test_password_hashed(self):
with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session,
self.user_foo['id'])
self.assertNotEqual(self.user_foo['password'],
user_ref['password'])
def get_limit(self, limit_id):
with sql.session_for_read() as session:
return self._get_limit(session,
limit_id).to_dict()
def list_projects_in_domain(self, domain_id):
with sql.session_for_read() as session:
self._get_domain(session, domain_id)
query = session.query(Project)
project_refs = query.filter_by(domain_id=domain_id)
return [project_ref.to_dict() for project_ref in project_refs]
def get_user(self, user_id):
with sql.session_for_read() as session:
user_ref = self._get_user(session, user_id)
return identity_base.filter_user(user_ref.to_dict())
def _get_user_ref(self, user_id):
with sql.session_for_read() as session:
return self.identity_api._get_user(session, user_id)
def is_leaf_project(self, project_id):
with sql.session_for_read() as session:
project_refs = self._get_children(session, [project_id])
return not project_refs
def get_role(self, role_id):
with sql.session_for_read() as session:
return self._get_role(session, role_id).to_dict()
def list_trusts(self):
with sql.session_for_read() as session:
trusts = session.query(TrustModel).filter_by(deleted_at=None)
return [trust_ref.to_dict() for trust_ref in trusts]
def get_enabled_service_providers(self):
with sql.session_for_read() as session:
service_providers = session.query(ServiceProviderModel)
service_providers = service_providers.filter_by(enabled=True)
return service_providers
def get_sp(self, sp_id):
with sql.session_for_read() as session:
sp_ref = self._get_sp(session, sp_id)
return sp_ref.to_dict()
def get_group(self, group_id):
with sql.session_for_read() as session:
return self._get_group(session, group_id).to_dict()
def get_consumer_with_secret(self, consumer_id):
with sql.session_for_read() as session:
consumer_ref = self._get_consumer(session, consumer_id)
return consumer_ref.to_dict()
def list_groups(self, hints):
with sql.session_for_read() as session:
query = session.query(model.Group)
refs = sql.filter_limit_query(model.Group, query, hints)
return [ref.to_dict() for ref in refs]
def list_sps(self, hints=None):
with sql.session_for_read() as session:
query = session.query(ServiceProviderModel)
sps = sql.filter_limit_query(ServiceProviderModel, query, hints)
sps_list = [sp.to_dict() for sp in sps]
return sps_list
def get_mapping(self, mapping_id):
with sql.session_for_read() as session:
mapping_ref = self._get_mapping(session, mapping_id)
return mapping_ref.to_dict()
def get_access_token(self, access_token_id):
with sql.session_for_read() as session:
token_ref = self._get_access_token(session, access_token_id)
return token_ref.to_dict()
def get_user(self, user_id):
with sql.session_for_read() as session:
return base.filter_user(self._get_user(session, user_id).to_dict())
def list_protocols(self, idp_id):
with sql.session_for_read() as session:
q = session.query(FederationProtocolModel)
q = q.filter_by(idp_id=idp_id)
protocols = [protocol.to_dict() for protocol in q]
return protocols
def get_project(self, project_id):
with sql.session_for_read() as session:
return self._get_project(session, project_id).to_dict()
def list_consumers(self):
with sql.session_for_read() as session:
cons = session.query(Consumer)
return [base.filter_consumer(x.to_dict()) for x in cons]
def get_mapping_from_idp_and_protocol(self, idp_id, protocol_id):
with sql.session_for_read() as session:
protocol_ref = self._get_protocol(session, idp_id, protocol_id)
mapping_id = protocol_ref.mapping_id
mapping_ref = self._get_mapping(session, mapping_id)
return mapping_ref.to_dict()
def version(self):
with sql.session_for_read() as session:
return migration.db_version(session.get_bind(), self.repo_path,
self.min_version)
def list_mappings(self):
with sql.session_for_read() as session:
mappings = session.query(MappingModel)
return [x.to_dict() for x in mappings]
def get_db_version(repo=LEGACY_REPO):
with sql.session_for_read() as session:
return migration.db_version(session.get_bind(), find_repo(repo),
get_init_version())
def _get_user_ref(self, user_id):
with sql.session_for_read() as session:
return session.query(model.User).get(user_id)
def get_domain(self, domain_id):
with sql.session_for_read() as session:
return self._get_domain(session, domain_id).to_dict()
