def delete_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
self.get_role(role_id)
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_project(project_id)
try:
metadata_ref = self._get_metadata(user_id, project_id, domain_id,
group_id)
except exception.MetadataNotFound:
metadata_ref = {}
try:
metadata_ref['roles'] = self._remove_role_from_role_dicts(
role_id, inherited_to_projects, metadata_ref.get('roles', []))
except KeyError:
raise exception.RoleNotFound(role_id=role_id)
self._update_metadata(user_id, project_id, metadata_ref, domain_id,
group_id)
def get_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
role_ref = self.get_role(role_id)
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_project(project_id)
try:
metadata_ref = self._get_metadata(user_id, project_id, domain_id,
group_id)
except exception.MetadataNotFound:
metadata_ref = {}
role_ids = set(
self._roles_from_role_dicts(metadata_ref.get('roles', []),
inherited_to_projects))
if role_id not in role_ids:
raise exception.RoleNotFound(role_id=role_id)
return role_ref
def delete_user(self, role_dn, user_dn, role_id):
try:
super(RoleApi, self).remove_member(user_dn, role_dn)
except (self.NotFound, ldap.NO_SUCH_ATTRIBUTE):
raise exception.RoleNotFound(message=_(
'Cannot remove role that has not been granted, %s') %
role_id)
def delete_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
self.get_role(role_id)
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_project(project_id)
try:
metadata_ref = self._get_metadata(user_id, project_id, domain_id,
group_id)
except exception.MetadataNotFound:
metadata_ref = {}
try:
if user_id is None:
metadata_ref['roles'] = (
self._remove_role_from_group_and_project(
group_id, project_id, role_id))
else:
metadata_ref['roles'] = self.remove_role_from_user_and_project(
user_id, project_id, role_id)
except KeyError:
raise exception.RoleNotFound(role_id=role_id)
def delete_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None):
self.get_role(role_id)
if user_id:
self.get_user(user_id)
if group_id:
self.get_group(group_id)
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
domain_id, group_id)
except exception.MetadataNotFound:
metadata_ref = {}
roles = set(metadata_ref.get('roles', []))
try:
roles.remove(role_id)
except KeyError:
raise exception.RoleNotFound(role_id=role_id)
metadata_ref['roles'] = list(roles)
self.update_metadata(user_id, project_id, metadata_ref,
domain_id, group_id)
def _check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
def _require_trustor_has_role_in_project(self, trust):
user_roles = self._get_user_role(trust)
for trust_role in trust['roles']:
matching_roles = [x for x in user_roles
if x == trust_role['id']]
if not matching_roles:
raise exception.RoleNotFound(role_id=trust_role['id'])
def validate_shadow_mapping(shadow_projects, existing_roles, idp_domain_id,
idp_id):
# Validate that the roles in the shadow mapping actually exist. If
# they don't we should bail early before creating anything.
for shadow_project in shadow_projects:
for shadow_role in shadow_project['roles']:
# The role in the project mapping must exist in order for it to
# be useful.
if shadow_role['name'] not in existing_roles:
LOG.error(
'Role %s was specified in the mapping but does '
'not exist. All roles specified in a mapping must '
'exist before assignment.', shadow_role['name'])
# NOTE(lbragstad): The RoleNotFound exception usually
# expects a role_id as the parameter, but in this case we
# only have a name so we'll pass that instead.
raise exception.RoleNotFound(shadow_role['name'])
role = existing_roles[shadow_role['name']]
if (role['domain_id'] is not None
and role['domain_id'] != idp_domain_id):
LOG.error(
'Role %(role)s is a domain-specific role and '
'cannot be assigned within %(domain)s.', {
'role': shadow_role['name'],
'domain': idp_domain_id
})
raise exception.DomainSpecificRoleNotWithinIdPDomain(
role_name=shadow_role['name'],
identity_provider=idp_id)
def delete_role(self, role_id):
try:
self.db.delete('role-%s' % role_id)
except exception.NotFound:
raise exception.RoleNotFound(role_id=role_id)
role_list = set(self.db.get('role_list', []))
role_list.remove(role_id)
self.db.set('role_list', list(role_list))
def get_by_name(self, name, filter=None):
roles = self.get_all('(%s=%s)' %
(self.attribute_mapping['name'],
ldap_filter.escape_filter_chars(name)))
try:
return roles[0]
except IndexError:
raise exception.RoleNotFound(role_id=name)
def create_trust(self, context, trust=None):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
# TODO(ayoung): instead of raising ValidationError on the first
# problem, return a collection of all the problems.
# Explicitly prevent a trust token from creating a new trust.
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
if auth_context.get('is_delegated_auth'):
raise exception.Forbidden(
_('Cannot create a trust'
' with a token issued via delegation.'))
if not trust:
raise exception.ValidationError(attribute='trust',
target='request')
if trust.get('project_id') and not trust.get('roles'):
raise exception.Forbidden(
_('At least one role should be specified.'))
try:
user_id = self._get_user_id(context)
_trustor_only(context, trust, user_id)
#confirm that the trustee exists
self.identity_api.get_user(trust['trustee_user_id'])
all_roles = self.assignment_api.list_roles()
clean_roles = self._clean_role_list(context, trust, all_roles)
if trust.get('project_id'):
user_role = self.assignment_api.get_roles_for_user_and_project(
user_id, trust['project_id'])
else:
user_role = []
for trust_role in clean_roles:
matching_roles = [
x for x in user_role if x == trust_role['id']
]
if not matching_roles:
raise exception.RoleNotFound(role_id=trust_role['id'])
if trust.get('expires_at') is not None:
if not trust['expires_at'].endswith('Z'):
trust['expires_at'] += 'Z'
try:
trust['expires_at'] = (timeutils.parse_isotime(
trust['expires_at']))
except ValueError:
raise exception.ValidationTimeStampError()
trust_id = uuid.uuid4().hex
new_trust = self.trust_api.create_trust(trust_id, trust,
clean_roles)
self._fill_in_roles(context, new_trust, all_roles)
return TrustV3.wrap_member(context, new_trust)
except KeyError as e:
raise exception.ValidationError(attribute=e.args[0],
target='trust')
def _get_role_id(self, role_name):
session = self.get_session()
query = session.query(sql.Role).filter_by(name=role_name)
try:
role_ref = query.one()
except keystone_sql.NotFound:
raise exception.RoleNotFound(role_id=role_name)
return role_ref.to_dict()['id']
def get_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_trustee_only(context, trust, user_id)
matching_roles = [x for x in trust['roles'] if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
global_roles = self.identity_api.list_roles(context)
matching_roles = [x for x in global_roles if x['id'] == role_id]
if matching_roles:
full_role = (identity.controllers.RoleV3.wrap_member(
context, matching_roles[0]))
return full_role
else:
raise exception.RoleNotFound(role_id=role_id)
def check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""
trust = self.trust_api.get_trust(context, trust_id)
if not trust:
raise exception.TrustNotFound(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_trustee_only(context, trust, user_id)
matching_roles = [x for x in trust['roles'] if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
def delete_role(self, role_id):
session = self.get_session()
try:
ref = session.query(Role).filter_by(id=role_id).one()
except sql.NotFound:
raise exception.RoleNotFound(role_id=role_id)
with session.begin():
for metadata_ref in session.query(UserProjectGrant):
try:
self.delete_grant(role_id,
user_id=metadata_ref.user_id,
project_id=metadata_ref.project_id)
except exception.RoleNotFound:
pass
for metadata_ref in session.query(UserDomainGrant):
try:
self.delete_grant(role_id,
user_id=metadata_ref.user_id,
domain_id=metadata_ref.domain_id)
except exception.RoleNotFound:
pass
for metadata_ref in session.query(GroupProjectGrant):
try:
self.delete_grant(role_id,
group_id=metadata_ref.group_id,
project_id=metadata_ref.project_id)
except exception.RoleNotFound:
pass
for metadata_ref in session.query(GroupDomainGrant):
try:
self.delete_grant(role_id,
group_id=metadata_ref.group_id,
domain_id=metadata_ref.domain_id)
except exception.RoleNotFound:
pass
if not session.query(Role).filter_by(id=role_id).delete():
raise exception.RoleNotFound(role_id=role_id)
session.delete(ref)
session.flush()
def update_role(self, role_id, role):
session = self.get_session()
with session.begin():
role_ref = session.query(Role).filter_by(id=role_id).first()
if role_ref is None:
raise exception.RoleNotFound(role_id=role_id)
for k in role:
role_ref[k] = role[k]
session.flush()
return role_ref
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
with sql.transaction() as session:
q = session.query(RoleAssignment)
q = q.filter_by(actor_id=user_id)
q = q.filter_by(target_id=tenant_id)
q = q.filter_by(role_id=role_id)
if q.delete() == 0:
raise exception.RoleNotFound(message=_(
'Cannot remove role that has not been granted, %s') %
role_id)
def get_role_for_trust(self, request, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
trust = self.trust_api.get_trust(trust_id)
_trustor_trustee_only(trust, request.context.user_id)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
role = self.role_api.get_role(role_id)
return assignment.controllers.RoleV3.wrap_member(
request.context_dict, role)
def delete_user(self, role_dn, user_dn, tenant_dn, user_id, role_id):
conn = self.get_connection()
try:
conn.modify_s(role_dn,
[(ldap.MOD_DELETE, self.member_attribute, user_dn)])
except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
raise exception.RoleNotFound(
message=_('Cannot remove role that has not been granted, %s') %
role_id)
finally:
conn.unbind_s()
def get(self, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
ENFORCER.enforce_call(action='identity:get_role_for_trust')
trust = PROVIDERS.trust_api.get_trust(trust_id)
_trustor_trustee_only(trust)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
role = PROVIDERS.role_api.get_role(role_id)
return ks_flask.ResourceBase.wrap_member(role, collection_name='roles',
member_name='role')
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
roles = set(metadata_ref.get('roles', []))
if role_id not in roles:
msg = _('Cannot remove role that has not been granted, %s' %
role_id)
raise exception.RoleNotFound(message=msg)
roles.remove(role_id)
metadata_ref['roles'] = list(roles)
if len(roles):
self.update_metadata(user_id, tenant_id, metadata_ref)
else:
session = self.get_session()
q = session.query(UserProjectGrant)
q = q.filter_by(project_id=tenant_id)
q.delete()
except exception.MetadataNotFound:
msg = 'Cannot remove role that has not been granted, %s' % role_id
raise exception.RoleNotFound(message=msg)
def update(self, role_id, role):
if role['id'] != role_id:
raise exception.ValidationError('Cannot change role ID')
try:
old_name = self.get_by_name(role['name'])
raise exception.Conflict('Cannot duplicate name %s' % role['name'])
except exception.NotFound:
pass
try:
super(RoleApi, self).update(role_id, role)
except exception.NotFound:
raise exception.RoleNotFound(role_id=role_id)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
metadata_ref = self.get_metadata(user_id, tenant_id)
if not metadata_ref:
metadata_ref = {}
roles = set(metadata_ref.get('roles', []))
if role_id not in roles:
msg = 'Cannot remove role that has not been granted, %s' % role_id
raise exception.RoleNotFound(message=msg)
roles.remove(role_id)
metadata_ref['roles'] = list(roles)
self.update_metadata(user_id, tenant_id, metadata_ref)
def get_access_token_role(self, context, user_id, access_token_id,
role_id):
access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id:
raise exception.Unauthorized(_('User IDs do not match'))
roles = access_token['requested_roles']
roles_dict = jsonutils.loads(roles)
for role in roles_dict:
if role['id'] == role_id:
role = self._format_role_entity(role)
return AccessTokenRolesV3.wrap_member(context, role)
raise exception.RoleNotFound(_('Could not find role'))
def get_access_token_role(self, context, user_id,
access_token_id, role_id):
access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id:
raise exception.Unauthorized(_('User IDs do not match'))
authed_role_ids = access_token['role_ids']
authed_role_ids = jsonutils.loads(authed_role_ids)
for authed_role_id in authed_role_ids:
if authed_role_id == role_id:
role = self._format_role_entity(role_id)
return AccessTokenRolesV3.wrap_member(context, role)
raise exception.RoleNotFound(_('Could not find role'))
def get(self, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
ENFORCER.enforce_call(action='identity:get_role_for_trust')
trust = PROVIDERS.trust_api.get_trust(trust_id)
_trustor_trustee_only(trust)
if not any(role['id'] == role_id for role in trust['roles']):
raise exception.RoleNotFound(role_id=role_id)
role = PROVIDERS.role_api.get_role(role_id)
# TODO(morgan): Correct this to allow for local member wrapping of
# RoleV3.
return assignment.controllers.RoleV3.wrap_member(
{'environment': flask.request.environ}, role)
def delete_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
with sql.transaction() as session:
q = self._build_grant_filter(session, role_id, user_id, group_id,
domain_id, project_id,
inherited_to_projects)
if not q.delete(False):
raise exception.RoleNotFound(role_id=role_id)
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try:
metadata_ref = self._get_metadata(user_id, tenant_id)
try:
metadata_ref['roles'] = self._remove_role_from_role_dicts(
role_id, False, metadata_ref.get('roles', []))
except KeyError:
raise exception.RoleNotFound(message=_(
'Cannot remove role that has not been granted, %s') %
role_id)
if len(metadata_ref['roles']):
self._update_metadata(user_id, tenant_id, metadata_ref)
else:
session = self.get_session()
q = session.query(UserProjectGrant)
q = q.filter_by(user_id=user_id)
q = q.filter_by(project_id=tenant_id)
q.delete()
except exception.MetadataNotFound:
msg = 'Cannot remove role that has not been granted, %s' % role_id
raise exception.RoleNotFound(message=msg)
def create_trust(self, context, trust=None):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
# TODO(ayoung): instead of raising ValidationError on the first
# problem, return a collection of all the problems.
if not trust:
raise exception.ValidationError(attribute='trust',
target='request')
try:
user_id = self._get_user_id(context)
_trustor_only(context, trust, user_id)
#confirm that the trustee exists
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
if not trustee_ref:
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
all_roles = self.assignment_api.list_roles()
clean_roles = self._clean_role_list(context, trust, all_roles)
if trust.get('project_id'):
user_role = self.assignment_api.get_roles_for_user_and_project(
user_id,
trust['project_id'])
else:
user_role = []
for trust_role in clean_roles:
matching_roles = [x for x in user_role
if x == trust_role['id']]
if not matching_roles:
raise exception.RoleNotFound(role_id=trust_role['id'])
if trust.get('expires_at') is not None:
if not trust['expires_at'].endswith('Z'):
trust['expires_at'] += 'Z'
try:
trust['expires_at'] = (timeutils.parse_isotime
(trust['expires_at']))
except ValueError:
raise exception.ValidationTimeStampError()
trust_id = uuid.uuid4().hex
new_trust = self.trust_api.create_trust(trust_id,
trust,
clean_roles)
self._fill_in_roles(context, new_trust, all_roles)
return TrustV3.wrap_member(context, new_trust)
except KeyError as e:
raise exception.ValidationError(attribute=e.args[0],
target='trust')
def default_roles(self):
if not self._default_roles:
with sql.transaction() as session:
query = session.query(sql_role.RoleTable)
query = query.filter(sql_role.RoleTable.name.in_(
CONF.ldap_hybrid.default_roles))
role_refs = query.all()
if len(role_refs) != len(CONF.ldap_hybrid.default_roles):
raise exception.RoleNotFound(
message=_('Could not find one or more roles: %s') %
', '.join(CONF.ldap_hybrid.default_roles))
self._default_roles = [role_ref.id for role_ref in role_refs]
return self._default_roles
