def _get_password_expires_at(self, created_at):
expires_days = CONF.security_compliance.password_expires_days
# NOTE(notmorgan): This option is deprecated and subject to removal
# in a future release.
ignore_list = CONF.security_compliance.password_expires_ignore_user_ids
if ignore_list:
versionutils.deprecated(
what='[security_compliance]\password_expires_ignore_user_ids',
as_of=versionutils.deprecated.OCATA,
remove_in=+1,
in_favor_of=('Using the `ignore_password_expiry` value set to '
'`True` in the `user["options"]` dictionary on '
'User creation or update (via API call).'))
# Get the IGNORE_PASSWORD_EXPIRY_OPT value from the user's
# option_mapper.
ignore_pw_expiry = getattr(
self.get_resource_option(iro.IGNORE_PASSWORD_EXPIRY_OPT.option_id),
'option_value',
False)
if (self.id not in ignore_list) and not ignore_pw_expiry:
if expires_days:
expired_date = (created_at +
datetime.timedelta(days=expires_days))
return expired_date.replace(microsecond=0)
return None
def get_token_data(self,
user_id,
method_names,
extras=None,
domain_id=None,
project_id=None,
expires=None,
trust=None,
token=None,
include_catalog=True,
bind=None,
access_token=None,
issued_at=None,
audit_info=None):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of='well-defined APIs')(lambda: None)()
token_data = {'methods': method_names, 'extras': extras}
# We've probably already written these to the token
if token:
for x in ('roles', 'user', 'catalog', 'project', 'domain'):
if x in token:
token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
if bind:
token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust,
access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_service_providers(token_data)
self._populate_token_dates(token_data,
expires=expires,
trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
def get_token_data(
self,
user_id,
method_names,
extras=None,
domain_id=None,
project_id=None,
expires=None,
trust=None,
token=None,
include_catalog=True,
bind=None,
access_token=None,
issued_at=None,
audit_info=None,
):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of="well-defined APIs",
)(lambda: None)()
token_data = {"methods": method_names, "extras": extras}
# We've probably already written these to the token
if token:
for x in ("roles", "user", "catalog", "project", "domain"):
if x in token:
token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust["trustee_user_id"]:
raise exception.Forbidden(_("User is not a trustee."))
if bind:
token_data["bind"] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust, access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id, project_id, trust)
self._populate_service_providers(token_data)
self._populate_token_dates(token_data, expires=expires, trust=trust, issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {"token": token_data}
def wrapper(*args, **kwargs):
x = versionutils.deprecated(
what="assignment." + f.__name__ + "()",
as_of=versionutils.deprecated.KILO,
in_favor_of="resource." + f.__name__ + "()",
)
return x(f)
def wrapper(*args, **kwargs):
deprecated = versionutils.deprecated(
what=f.__name__ + ' of the v2 Authentication APIs',
as_of=versionutils.deprecated.MITAKA,
in_favor_of=('a similar function in the v3 Authentication APIs'),
remove_in=+7)
return deprecated(f)
def wrapper(*args, **kwargs):
deprecated = versionutils.deprecated(
what=f.__name__ + ' of the v2 API',
as_of=versionutils.deprecated.MITAKA,
in_favor_of='a similar function in the v3 API',
remove_in=+4)
return deprecated(f)
def wrapper(*args, **kwargs):
deprecated = versionutils.deprecated(
what=f.__name__ + ' of the v2 Authentication APIs',
as_of=versionutils.deprecated.MITAKA,
in_favor_of=('a similar function in the v3 Authentication APIs'),
remove_in=0)
return deprecated(f)
def wrapper(*args, **kwargs):
x = versionutils.deprecated(
what='keystone.service.' + f.__name__ + '()',
as_of=versionutils.deprecated.MITAKA,
remove_in=+2,
in_favor_of='keystone.version.service.' + f.__name__ + '()')
return x(f)
def get_token_data(self, user_id, method_names, extras=None,
domain_id=None, project_id=None, expires=None,
trust=None, token=None, include_catalog=True,
bind=None, access_token=None, issued_at=None,
audit_info=None):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of='well-defined APIs')(lambda: None)()
token_data = {'methods': method_names,
'extras': extras}
# We've probably already written these to the token
if token:
for x in ('roles', 'user', 'catalog', 'project', 'domain'):
if x in token:
token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
if bind:
token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust,
access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_service_providers(token_data)
self._populate_token_dates(token_data, expires=expires, trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
# Copyright (C) 2013 eNovance SAS <*****@*****.**>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Log helper functions."""
from oslo_log import helpers
from oslo_log import versionutils
log = versionutils.deprecated(
as_of=versionutils.deprecated.LIBERTY,
in_favor_of='oslo_log.helpers.log_method_call')(helpers.log_method_call)
def wrapper(*args, **kwargs):
x = versionutils.deprecated(
what='assignment.' + f.__name__ + '()',
as_of=versionutils.deprecated.KILO,
in_favor_of='resource.' + f.__name__ + '()')
return x(f)
# Copyright (C) 2011 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_log import versionutils
versionutils.deprecated(
what='keystone.common.ldap.models',
as_of=versionutils.deprecated.NEWTON,
remove_in=+2,
in_favor_of='keystone.identity.backends.ldap.models')
# NOTE(notmorgan): This is maintained for compatibility in case outside
# developers are relying on this location.
from keystone.identity.backends.ldap.models import * # noqa
def wrapper(*args, **kwargs):
deprecated = versionutils.deprecated(
what=f.__name__ + ' of the v3 Policy APIs',
as_of=versionutils.deprecated.QUEENS)
return deprecated(f)
# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
versionutils.deprecated(what='keystone.common.ldap',
as_of=versionutils.deprecated.NEWTON,
remove_in=+2,
in_favor_of='keystone.identity.backends.ldap.common')
# NOTE(notmorgan): This is maintained for compatibility in case outside
# developers are relying on this location.
from keystone.identity.backends.ldap.common import * # noqa
def wrapper(wrapped_self, role_id, *args, **kwargs):
"""Send a notification if the wrapped callable is successful."""
""" NOTE(stevemar): The reason we go through checking kwargs
and args for possible target and actor values is because the
create_grant() (and delete_grant()) method are called
differently in various tests.
Using named arguments, i.e.:
create_grant(user_id=user['id'], domain_id=domain['id'],
role_id=role['id'])
Or, using positional arguments, i.e.:
create_grant(role_id['id'], user['id'], None,
domain_id=domain['id'], None)
Or, both, i.e.:
create_grant(role_id['id'], user_id=user['id'],
domain_id=domain['id'])
Checking the values for kwargs is easy enough, since it comes
in as a dictionary
The actual method signature is
create_grant(role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False)
So, if the values of actor or target are still None after
checking kwargs, we can check the positional arguments,
based on the method signature.
"""
call_args = inspect.getcallargs(
f, wrapped_self, role_id, *args, **kwargs)
inherited = call_args['inherited_to_projects']
context = call_args['context']
initiator = _get_request_audit_info(context)
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_kwargs = {}
if call_args['project_id']:
audit_kwargs['project'] = call_args['project_id']
elif call_args['domain_id']:
audit_kwargs['domain'] = call_args['domain_id']
if call_args['user_id']:
audit_kwargs['user'] = call_args['user_id']
elif call_args['group_id']:
audit_kwargs['group'] = call_args['group_id']
audit_kwargs['inherited_to_projects'] = inherited
audit_kwargs['role'] = role_id
# For backward compatibility, send both old and new event_type.
# Deprecate old format and remove it in the next release.
event_types = [self.deprecated_event_type, self.event_type]
versionutils.deprecated(
as_of=versionutils.deprecated.KILO,
remove_in=+1,
what=('sending duplicate %s notification event type' %
self.deprecated_event_type),
in_favor_of='%s notification event type' % self.event_type)
try:
result = f(wrapped_self, role_id, *args, **kwargs)
except Exception:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE,
target, event_type,
**audit_kwargs)
raise
else:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS,
target, event_type,
**audit_kwargs)
return result
def wrapper(*args, **kwargs):
x = versionutils.deprecated(what='assignment.' + f.__name__ + '()',
as_of=versionutils.deprecated.KILO,
in_favor_of='resource.' + f.__name__ +
'()')
return x(f)
def wrapper(wrapped_self, role_id, *args, **kwargs):
"""Send a notification if the wrapped callable is successful."""
""" NOTE(stevemar): The reason we go through checking kwargs
and args for possible target and actor values is because the
create_grant() (and delete_grant()) method are called
differently in various tests.
Using named arguments, i.e.:
create_grant(user_id=user['id'], domain_id=domain['id'],
role_id=role['id'])
Or, using positional arguments, i.e.:
create_grant(role_id['id'], user['id'], None,
domain_id=domain['id'], None)
Or, both, i.e.:
create_grant(role_id['id'], user_id=user['id'],
domain_id=domain['id'])
Checking the values for kwargs is easy enough, since it comes
in as a dictionary
The actual method signature is
create_grant(role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False)
So, if the values of actor or target are still None after
checking kwargs, we can check the positional arguments,
based on the method signature.
"""
call_args = inspect.getcallargs(f, wrapped_self, role_id, *args,
**kwargs)
inherited = call_args['inherited_to_projects']
context = call_args['context']
initiator = _get_request_audit_info(context)
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_kwargs = {}
if call_args['project_id']:
audit_kwargs['project'] = call_args['project_id']
elif call_args['domain_id']:
audit_kwargs['domain'] = call_args['domain_id']
if call_args['user_id']:
audit_kwargs['user'] = call_args['user_id']
elif call_args['group_id']:
audit_kwargs['group'] = call_args['group_id']
audit_kwargs['inherited_to_projects'] = inherited
audit_kwargs['role'] = role_id
# For backward compatibility, send both old and new event_type.
# Deprecate old format and remove it in the next release.
event_types = [self.deprecated_event_type, self.event_type]
versionutils.deprecated(
as_of=versionutils.deprecated.KILO,
remove_in=+1,
what=('sending duplicate %s notification event type' %
self.deprecated_event_type),
in_favor_of='%s notification event type' % self.event_type)
try:
result = f(wrapped_self, role_id, *args, **kwargs)
except Exception:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE, target,
event_type, **audit_kwargs)
raise
else:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS, target,
event_type, **audit_kwargs)
return result
# Copyright (C) 2013 eNovance SAS <*****@*****.**>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Log helper functions."""
from oslo_log import helpers
from oslo_log import versionutils
log = versionutils.deprecated(as_of=versionutils.deprecated.LIBERTY,
in_favor_of='oslo_log.helpers.log_method_call')(
helpers.log_method_call)
