def list_implied_roles(self, prior_role_id): with sql.session_for_read() as session: query = session.query( ImpliedRoleTable).filter( ImpliedRoleTable.prior_role_id == prior_role_id) refs = query.all() return [ref.to_dict() for ref in refs]
def list_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin(model.LocalUser) query, hints = self._create_password_expires_query(session, query, hints) user_refs = sql.filter_limit_query(model.User, query, hints) return [base.filter_user(x.to_dict()) for x in user_refs]
def list_application_credentials_for_user(self, user_id, hints): with sql.session_for_read() as session: query = session.query(ApplicationCredentialModel) query = sql.filter_limit_query(ApplicationCredentialModel, query, hints) app_creds = query.filter_by(user_id=user_id) return [self._to_dict(ref) for ref in app_creds]
def get_federated_users(self, hints): with sql.session_for_read() as session: query = session.query(model.User).outerjoin(model.LocalUser) query = query.filter(model.User.id == model.FederatedUser.user_id) query = self._update_query_with_federated_statements(hints, query) user_refs = sql.filter_limit_query(model.User, query, hints) return [identity_base.filter_user(x.to_dict()) for x in user_refs]
def list_groups_for_user(self, user_id, hints): with sql.session_for_read() as session: self.get_user(user_id) query = session.query(Group).join(UserGroupMembership) query = query.filter(UserGroupMembership.user_id == user_id) query = sql.filter_limit_query(Group, query, hints) return [g.to_dict() for g in query]
def list_domain_ids_for_user(self, user_id, group_ids, hints, inherited=False): with sql.session_for_read() as session: query = session.query(RoleAssignment.target_id) filters = [] if user_id: sql_constraints = sqlalchemy.and_( RoleAssignment.actor_id == user_id, RoleAssignment.inherited == inherited, RoleAssignment.type == AssignmentType.USER_DOMAIN) filters.append(sql_constraints) if group_ids: sql_constraints = sqlalchemy.and_( RoleAssignment.actor_id.in_(group_ids), RoleAssignment.inherited == inherited, RoleAssignment.type == AssignmentType.GROUP_DOMAIN) filters.append(sql_constraints) if not filters: return [] query = query.filter(sqlalchemy.or_(*filters)).distinct() return [assignment.target_id for assignment in query.all()]
def check_project_depth(self, max_depth): with sql.session_for_read() as session: obj_list = [] # Using db table self outerjoin to find the project descendants. # # We'll only outerjoin the project table `max_depth` times to # check whether current project tree exceed the max depth limit. # # For example: # # If max_depth is 2, we will take the outerjoin 2 times, then the # SQL result may be like: # # +---- +-------------+-------------+-------------+ # | No. | project1_id | project2_id | project3_id | # +--- -+-------------+-------------+-------------+ # | 1 | domain_x | | | # +- ---+-------------+-------------+-------------+ # | 2 | project_a | | | # +- ---+-------------+-------------+-------------+ # | 3 | domain_y | project_a | | # +- ---+-------------+-------------+-------------+ # | 4 | project_b | project_c | | # +- ---+-------------+-------------+-------------+ # | 5 | domain_y | project_b | project_c | # +- ---+-------------+-------------+-------------+ # # `project1_id` column is the root. It is a project or a domain. # If `project1_id` is a project, there must exist a line that # `project1` is its domain. # # We got 5 lines here. It includes three scenarios: # # 1). The No.1 line means there is a domain `domain_x` which has no # children. The depth is 1. # # 2). The No.2 and No.3 lines mean project `project_a` has no child # and its parent is domain `domain_y`. The depth is 2. # # 3). The No.4 and No.5 lines mean project `project_b` has a child # `project_c` and its parent is domain `domain_y`. The depth is # 3. This tree hit the max depth # # So we can see that if column "project3_id" has value, it means # some trees hit the max depth limit. for _ in range(max_depth + 1): obj_list.append(orm.aliased(Project)) query = session.query(*obj_list) for index in range(max_depth): query = query.outerjoin( obj_list[index + 1], obj_list[index].id == obj_list[index + 1].parent_id) exceeded_lines = query.filter( obj_list[-1].id != expression.null()) if exceeded_lines: return [line[max_depth].id for line in exceeded_lines]
def test_configured_algorithm_used(self): with sql.session_for_read() as session: user_ref = self.identity_api._get_user(session, self.user_foo['id']) self.assertEqual( passlib.hash.scrypt, password_hashing._get_hasher_from_ident(user_ref.password))
def test_password_hashed(self): with sql.session_for_read() as session: user_ref = PROVIDERS.identity_api._get_user( session, self.user_foo['id'] ) self.assertNotEqual(self.user_foo['password'], user_ref['password'])
def list_users_in_group(self, group_id, hints): with sql.session_for_read() as session: self.get_group(group_id) query = session.query(User).outerjoin(LocalUser) query = query.join(UserGroupMembership) query = query.filter(UserGroupMembership.group_id == group_id) query = sql.filter_limit_query(User, query, hints) return [identity.filter_user(u.to_dict()) for u in query]
def get_token(self, token_id): if token_id is None: raise exception.TokenNotFound(token_id=token_id) with sql.session_for_read() as session: token_ref = session.query(TokenModel).get(token_id) if not token_ref or not token_ref.valid: raise exception.TokenNotFound(token_id=token_id) return token_ref.to_dict()
def get_domain_by_name(self, domain_name): with sql.session_for_read() as session: try: ref = (session.query(Domain). filter_by(name=domain_name).one()) except sql.NotFound: raise exception.DomainNotFound(domain_id=domain_name) return ref.to_dict()
def list_projects_from_ids(self, ids): if not ids: return [] else: with sql.session_for_read() as session: query = session.query(Project) query = query.filter(Project.id.in_(ids)) return [project_ref.to_dict() for project_ref in query.all()]
def list_credentials_for_user(self, user_id, type=None): with sql.session_for_read() as session: query = session.query(CredentialModel) query = query.filter_by(user_id=user_id) if type: query = query.filter_by(type=type) refs = query.all() return [ref.to_dict() for ref in refs]
def list_user_ids_for_project(self, tenant_id): with sql.session_for_read() as session: query = session.query(RoleAssignment.actor_id) query = query.filter_by(type=AssignmentType.USER_PROJECT) query = query.filter_by(target_id=tenant_id) query = query.distinct('actor_id') assignments = query.all() return [assignment.actor_id for assignment in assignments]
def list_role_assignments(self, role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None): def denormalize_role(ref): assignment = {} if ref.type == AssignmentType.USER_PROJECT: assignment['user_id'] = ref.actor_id assignment['project_id'] = ref.target_id elif ref.type == AssignmentType.USER_DOMAIN: assignment['user_id'] = ref.actor_id assignment['domain_id'] = ref.target_id elif ref.type == AssignmentType.GROUP_PROJECT: assignment['group_id'] = ref.actor_id assignment['project_id'] = ref.target_id elif ref.type == AssignmentType.GROUP_DOMAIN: assignment['group_id'] = ref.actor_id assignment['domain_id'] = ref.target_id else: raise exception.Error(message=_( 'Unexpected assignment type encountered, %s') % ref.type) assignment['role_id'] = ref.role_id if ref.inherited: assignment['inherited_to_projects'] = 'projects' return assignment with sql.session_for_read() as session: assignment_types = self._get_assignment_types( user_id, group_ids, project_ids, domain_id) targets = None if project_ids: targets = project_ids elif domain_id: targets = [domain_id] actors = None if group_ids: actors = group_ids elif user_id: actors = [user_id] query = session.query(RoleAssignment) if role_id: query = query.filter_by(role_id=role_id) if actors: query = query.filter(RoleAssignment.actor_id.in_(actors)) if targets: query = query.filter(RoleAssignment.target_id.in_(targets)) if assignment_types: query = query.filter(RoleAssignment.type.in_(assignment_types)) if inherited_to_projects is not None: query = query.filter_by(inherited=inherited_to_projects) return [denormalize_role(ref) for ref in query.all()]
def list_grant_role_ids(self, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): with sql.session_for_read() as session: q = session.query(RoleAssignment.role_id) q = q.filter(RoleAssignment.actor_id == (user_id or group_id)) q = q.filter(RoleAssignment.target_id == (project_id or domain_id)) q = q.filter(RoleAssignment.inherited == inherited_to_projects) return [x.role_id for x in q.all()]
def list_projects_in_domain(self, domain_id): with sql.session_for_read() as session: try: self._get_project(session, domain_id) except exception.ProjectNotFound: raise exception.DomainNotFound(domain_id=domain_id) query = session.query(Project) project_refs = query.filter(Project.domain_id == domain_id) return [project_ref.to_dict() for project_ref in project_refs]
def list_domains_from_ids(self, ids): if not ids: return [] else: with sql.session_for_read() as session: query = session.query(Domain) query = query.filter(Domain.id.in_(ids)) domain_refs = query.all() return [domain_ref.to_dict() for domain_ref in domain_refs]
def list_roles_from_ids(self, ids): if not ids: return [] else: with sql.session_for_read() as session: query = session.query(RoleTable) query = query.filter(RoleTable.id.in_(ids)) role_refs = query.all() return [role_ref.to_dict() for role_ref in role_refs]
def list_project_ids_from_domain_ids(self, domain_ids): if not domain_ids: return [] else: with sql.session_for_read() as session: query = session.query(Project.id) query = ( query.filter(Project.domain_id.in_(domain_ids))) return [x.id for x in query.all()]
def test_create_user_with_null_password(self): user_dict = unit.new_user_ref( domain_id=CONF.identity.default_domain_id) user_dict["password"] = None new_user_dict = self.identity_api.create_user(user_dict) with sql.session_for_read() as session: new_user_ref = self.identity_api._get_user(session, new_user_dict['id']) self.assertFalse(new_user_ref.local_user.passwords)
def get_application_credential(self, application_credential_id): with sql.session_for_read() as session: query = session.query(ApplicationCredentialModel).filter_by( id=application_credential_id) ref = query.first() if ref is None: raise exception.ApplicationCredentialNotFound( application_credential_id=application_credential_id) app_cred_dict = self._to_dict(ref) return app_cred_dict
def get_project_by_name(self, tenant_name, domain_id): with sql.session_for_read() as session: query = session.query(Project) query = query.filter_by(name=tenant_name) query = query.filter_by(domain_id=domain_id) try: project_ref = query.one() except sql.NotFound: raise exception.ProjectNotFound(project_id=tenant_name) return project_ref.to_dict()
def list_config_options(self, domain_id, group=None, option=None, sensitive=False): with sql.session_for_read() as session: config_table = self.choose_table(sensitive) query = session.query(config_table) query = query.filter_by(domain_id=domain_id) if group: query = query.filter_by(group=group) if option: query = query.filter_by(option=option) return [ref.to_dict() for ref in query.all()]
def get_federated_user(self, idp_id, protocol_id, unique_id): # NOTE(notmorgan): Open a session here to ensure .to_dict is called # within an active session context. This will prevent lazy-load # relationship failure edge-cases # FIXME(notmorgan): Eventually this should not call `to_dict` here and # rely on something already in the session context to perform the # `to_dict` call. with sql.session_for_read(): user_ref = self._get_federated_user(idp_id, protocol_id, unique_id) return identity_base.filter_user(user_ref.to_dict())
def _list_last_fetch_events(self, last_fetch=None): with sql.session_for_read() as session: query = session.query(RevocationEvent).order_by( RevocationEvent.revoked_at) if last_fetch: query = query.filter(RevocationEvent.revoked_at > last_fetch) events = [revoke_model.RevokeEvent(**e.to_dict()) for e in query] return events
def get_user_by_name(self, user_name, domain_id): with sql.session_for_read() as session: query = session.query(User).join(LocalUser) query = query.filter(sqlalchemy.and_(LocalUser.name == user_name, LocalUser.domain_id == domain_id)) try: user_ref = query.one() except sql.NotFound: raise exception.UserNotFound(user_id=user_name) return identity.filter_user(user_ref.to_dict())
def get_group_by_name(self, group_name, domain_id): with sql.session_for_read() as session: query = session.query(Group) query = query.filter_by(name=group_name) query = query.filter_by(domain_id=domain_id) try: group_ref = query.one() except sql.NotFound: raise exception.GroupNotFound(group_id=group_name) return group_ref.to_dict()
def authenticate(self, user_id, password): with sql.session_for_read() as session: user_ref = None try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError(_('Invalid user / password')) if not self._check_password(password, user_ref): raise AssertionError(_('Invalid user / password')) return identity.filter_user(user_ref.to_dict())
def list_trusts_for_trustor(self, trustor_user_id): with sql.session_for_read() as session: trusts = (session.query(TrustModel).filter_by( deleted_at=None).filter_by(trustor_user_id=trustor_user_id)) return [trust_ref.to_dict() for trust_ref in trusts]
def get_request_token(self, request_token_id): with sql.session_for_read() as session: token_ref = self._get_request_token(session, request_token_id) return token_ref.to_dict()
def list_access_tokens(self, user_id): with sql.session_for_read() as session: q = session.query(AccessToken) user_auths = q.filter_by(authorizing_user_id=user_id) return [base.filter_token(x.to_dict()) for x in user_auths]
def list_roles(self, hints): with sql.session_for_read() as session: query = session.query(RoleTable) refs = sql.filter_limit_query(RoleTable, query, hints) return [ref.to_dict() for ref in refs]
def test_password_hashed(self): with sql.session_for_read() as session: user_ref = self.identity_api._get_user(session, self.user_foo['id']) self.assertNotEqual(self.user_foo['password'], user_ref['password'])
def get_limit(self, limit_id): with sql.session_for_read() as session: return self._get_limit(session, limit_id).to_dict()
def list_projects_in_domain(self, domain_id): with sql.session_for_read() as session: self._get_domain(session, domain_id) query = session.query(Project) project_refs = query.filter_by(domain_id=domain_id) return [project_ref.to_dict() for project_ref in project_refs]
def get_user(self, user_id): with sql.session_for_read() as session: user_ref = self._get_user(session, user_id) return identity_base.filter_user(user_ref.to_dict())
def _get_user_ref(self, user_id): with sql.session_for_read() as session: return self.identity_api._get_user(session, user_id)
def is_leaf_project(self, project_id): with sql.session_for_read() as session: project_refs = self._get_children(session, [project_id]) return not project_refs
def get_role(self, role_id): with sql.session_for_read() as session: return self._get_role(session, role_id).to_dict()
def list_trusts(self): with sql.session_for_read() as session: trusts = session.query(TrustModel).filter_by(deleted_at=None) return [trust_ref.to_dict() for trust_ref in trusts]
def get_enabled_service_providers(self): with sql.session_for_read() as session: service_providers = session.query(ServiceProviderModel) service_providers = service_providers.filter_by(enabled=True) return service_providers
def get_sp(self, sp_id): with sql.session_for_read() as session: sp_ref = self._get_sp(session, sp_id) return sp_ref.to_dict()
def get_group(self, group_id): with sql.session_for_read() as session: return self._get_group(session, group_id).to_dict()
def get_consumer_with_secret(self, consumer_id): with sql.session_for_read() as session: consumer_ref = self._get_consumer(session, consumer_id) return consumer_ref.to_dict()
def list_groups(self, hints): with sql.session_for_read() as session: query = session.query(model.Group) refs = sql.filter_limit_query(model.Group, query, hints) return [ref.to_dict() for ref in refs]
def list_sps(self, hints=None): with sql.session_for_read() as session: query = session.query(ServiceProviderModel) sps = sql.filter_limit_query(ServiceProviderModel, query, hints) sps_list = [sp.to_dict() for sp in sps] return sps_list
def get_mapping(self, mapping_id): with sql.session_for_read() as session: mapping_ref = self._get_mapping(session, mapping_id) return mapping_ref.to_dict()
def get_access_token(self, access_token_id): with sql.session_for_read() as session: token_ref = self._get_access_token(session, access_token_id) return token_ref.to_dict()
def get_user(self, user_id): with sql.session_for_read() as session: return base.filter_user(self._get_user(session, user_id).to_dict())
def list_protocols(self, idp_id): with sql.session_for_read() as session: q = session.query(FederationProtocolModel) q = q.filter_by(idp_id=idp_id) protocols = [protocol.to_dict() for protocol in q] return protocols
def get_project(self, project_id): with sql.session_for_read() as session: return self._get_project(session, project_id).to_dict()
def list_consumers(self): with sql.session_for_read() as session: cons = session.query(Consumer) return [base.filter_consumer(x.to_dict()) for x in cons]
def get_mapping_from_idp_and_protocol(self, idp_id, protocol_id): with sql.session_for_read() as session: protocol_ref = self._get_protocol(session, idp_id, protocol_id) mapping_id = protocol_ref.mapping_id mapping_ref = self._get_mapping(session, mapping_id) return mapping_ref.to_dict()
def version(self): with sql.session_for_read() as session: return migration.db_version(session.get_bind(), self.repo_path, self.min_version)
def list_mappings(self): with sql.session_for_read() as session: mappings = session.query(MappingModel) return [x.to_dict() for x in mappings]
def get_db_version(repo=LEGACY_REPO): with sql.session_for_read() as session: return migration.db_version(session.get_bind(), find_repo(repo), get_init_version())
def _get_user_ref(self, user_id): with sql.session_for_read() as session: return session.query(model.User).get(user_id)
def get_domain(self, domain_id): with sql.session_for_read() as session: return self._get_domain(session, domain_id).to_dict()