def update_group(self, context, group_id, group):
self._require_matching_id(group_id, group)
self._require_matching_domain_id(
group_id, group, self.identity_api.get_group)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_group(group_id, group, initiator)
return GroupV3.wrap_member(context, ref)
def create_user(self, request, user):
validation.lazy_validate(schema.user_create_v2, user)
user = self._normalize_OSKSADM_password_on_request(user)
user = self.normalize_username_in_request(user)
user = self._normalize_dict(user)
self.assert_admin(request)
default_project_id = user.pop('tenantId', None)
if default_project_id is not None:
# Check to see if the project is valid before moving on.
self.resource_api.get_project(default_project_id)
user['default_project_id'] = default_project_id
self.resource_api.ensure_default_domain_exists()
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(request, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
new_user_ref['id'])
return {'user': new_user_ref}
def create_group(self, context, group):
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.create_group(ref, initiator)
return GroupV3.wrap_member(context, ref)
def update_consumer(self, request, consumer_id, consumer):
validation.lazy_validate(schema.consumer_update, consumer)
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
def _update_user(self, context, user_id, user):
self._require_matching_id(user_id, user)
self._require_matching_domain_id(user_id, user,
self.identity_api.get_user)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_user(user_id, user, initiator)
return UserV3.wrap_member(context, ref)
def create_user(self, request, user):
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(request.context_dict, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_user(ref, initiator)
return UserV3.wrap_member(request.context_dict, ref)
def create_user(self, context, user):
user = self._normalize_OSKSADM_password_on_request(user)
user = self.normalize_username_in_request(user)
user = self._normalize_dict(user)
self.assert_admin(context)
if 'name' not in user or not user['name']:
msg = _('Name field is required and cannot be empty')
raise exception.ValidationError(message=msg)
if 'enabled' in user and not isinstance(user['enabled'], bool):
msg = _('Enabled field must be a boolean')
raise exception.ValidationError(message=msg)
default_project_id = user.pop('tenantId', None)
if default_project_id is not None:
# Check to see if the project is valid before moving on.
self.resource_api.get_project(default_project_id)
user['default_project_id'] = default_project_id
self.resource_api.ensure_default_domain_exists()
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(context, user.copy())
initiator = notifications._get_request_audit_info(context)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
new_user_ref['id'])
return {'user': new_user_ref}
def create_project(self, context, project):
ref = self._assign_unique_id(self._normalize_dict(project))
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
return ProjectV3.wrap_member(context, ref)
def create_project_patched(self, request, project):
validation.lazy_validate(schema.project_create, project)
ref = self._assign_unique_id(self._normalize_dict(project))
if not ref.get('is_domain'):
ref = self._normalize_domain_id(request, ref)
LOG.warn(
"Monkypatch in action! "
"Hacking the new project id to equal the new project name.")
ref['id'] = project['name']
# Our API requires that you specify the location in the hierarchy
# unambiguously. This could be by parent_id or, if it is a top level
# project, just by providing a domain_id.
if not ref.get('parent_id'):
ref['parent_id'] = ref.get('domain_id')
initiator = notifications._get_request_audit_info(request.context_dict)
try:
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
raise exception.ValidationError(e)
return resource_controllers.ProjectV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, context, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
consumer_id = access_token["consumer_id"]
payload = {"user_id": user_id, "consumer_id": consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
return self.oauth_api.delete_access_token(user_id, access_token_id, initiator)
def create_endpoint(self, context, endpoint):
core.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, context)
initiator = notifications._get_request_audit_info(context)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
return EndpointV3.wrap_member(context, ref)
def _update_user(self, context, user_id, user):
self._require_matching_id(user_id, user)
self._require_matching_domain_id(
user_id, user, self.identity_api.get_user)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_user(user_id, user, initiator)
return UserV3.wrap_member(context, ref)
def delete_consumer(self, context, consumer_id):
user_token_ref = utils.get_token_ref(context)
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
self.oauth_api.delete_consumer(consumer_id, initiator)
def create_user(self, request, user):
user = self._normalize_OSKSADM_password_on_request(user)
user = self.normalize_username_in_request(user)
user = self._normalize_dict(user)
self.assert_admin(request)
if 'name' not in user or not user['name']:
msg = _('Name field is required and cannot be empty')
raise exception.ValidationError(message=msg)
if 'enabled' in user and not isinstance(user['enabled'], bool):
msg = _('Enabled field must be a boolean')
raise exception.ValidationError(message=msg)
default_project_id = user.pop('tenantId', None)
if default_project_id is not None:
# Check to see if the project is valid before moving on.
self.resource_api.get_project(default_project_id)
user['default_project_id'] = default_project_id
self.resource_api.ensure_default_domain_exists()
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(request, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
new_user_ref['id'])
return {'user': new_user_ref}
def create_trust(self, request, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
validation.lazy_validate(schema.trust_create, trust)
redelegated_trust = self._find_redelegated_trust(request)
if trust.get('project_id') and not trust.get('roles'):
msg = _('At least one role should be specified.')
raise exception.Forbidden(msg)
# the creating user must be the trustor
if request.context.user_id != trust.get('trustor_user_id'):
msg = _("The authenticated user should match the trustor.")
raise exception.Forbidden(msg)
# ensure trustee exists
self.identity_api.get_user(trust['trustee_user_id'])
# Normalize roles
normalized_roles = self._normalize_role_list(trust.get('roles', []))
trust['roles'] = normalized_roles
self._require_trustor_has_role_in_project(trust)
trust['expires_at'] = self._parse_expiration_date(
trust.get('expires_at'))
trust_id = uuid.uuid4().hex
initiator = notifications._get_request_audit_info(request.context_dict)
new_trust = self.trust_api.create_trust(trust_id, trust,
normalized_roles,
redelegated_trust, initiator)
self._fill_in_roles(request.context_dict, new_trust)
return TrustV3.wrap_member(request.context_dict, new_trust)
def update_project(self, request, project_id, project):
validation.lazy_validate(schema.project_update, project)
self._require_matching_id(project_id, project)
self._require_matching_domain_id(project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_project(project_id, project, initiator=initiator)
return ProjectV3.wrap_member(request.context_dict, ref)
def update_role(self, context, role_id, role):
self._require_matching_id(role_id, role)
self._require_matching_domain_id(
role_id, role, self.role_api.get_role)
initiator = notifications._get_request_audit_info(context)
ref = self.role_api.update_role(role_id, role, initiator)
return Role.wrap_member(context, ref)
def create_policy(self, context, policy):
domain_id = policy['domain_id']
count = len(self.policy_api.list_policies_in_domain(domain_id))
if count >= CONF.policy.policy_limit:
raise exception.ForbiddenAction('Policy Creation Forbidden: '
'number of created policy exceeds limit.')
if policy.has_key('enabled') and policy['enabled']:
policy_ref = self.policy_api.get_enabled_policy_in_domain(
domain_id)
if policy_ref:
raise exception.ForbiddenAction('Policy Creation Forbidden: '
'number of enabled policy exceeds limit.')
rules = policy.pop('rules') # rules is a dict
ref = self._assign_unique_id(self._normalize_dict(policy))
initiator = notifications._get_request_audit_info(context)
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
# create each rule in this policy
policy_id = ref['id']
for serv in rules.iterkeys(): # for each service
for item in rules[serv].iteritems():
rule = {'policy_id': policy_id,
'service': serv,
'permission': item[0],
'condition': item[1]}
rule_ref = self._assign_unique_id(self._normalize_dict(rule))
self.rule_api.create_rule(rule_ref['id'], rule_ref,
initiator)
return Policy.wrap_member(context, ref)
def update_group(self, context, group_id, group):
self._require_matching_id(group_id, group)
self._require_matching_domain_id(group_id, group,
self.identity_api.get_group)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_group(group_id, group, initiator)
return GroupV3.wrap_member(context, ref)
def update_consumer(self, context, consumer_id, consumer):
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
self._validate_consumer_ref(ref)
initiator = notifications._get_request_audit_info(context)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
return ConsumerCrudV3.wrap_member(context, ref)
def create_trust(self, context, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
auth_context = context.get("environment", {}).get("KEYSTONE_AUTH_CONTEXT", {})
# Check if delegated via trust
if auth_context.get("is_delegated_auth"):
# Redelegation case
src_trust_id = auth_context["trust_id"]
if not src_trust_id:
raise exception.Forbidden(_("Redelegation allowed for delegated by trust only"))
redelegated_trust = self.trust_api.get_trust(src_trust_id)
else:
redelegated_trust = None
if trust.get("project_id"):
self._require_role(trust)
self._require_user_is_trustor(context, trust)
self._require_trustee_exists(trust["trustee_user_id"])
all_roles = self.role_api.list_roles()
# Normalize roles
normalized_roles = self._normalize_role_list(trust, all_roles)
trust["roles"] = normalized_roles
self._require_trustor_has_role_in_project(trust)
trust["expires_at"] = self._parse_expiration_date(trust.get("expires_at"))
trust_id = uuid.uuid4().hex
initiator = notifications._get_request_audit_info(context)
new_trust = self.trust_api.create_trust(trust_id, trust, normalized_roles, redelegated_trust, initiator)
self._fill_in_roles(context, new_trust, all_roles)
return TrustV3.wrap_member(context, new_trust)
def create_user(self, request, user):
validation.lazy_validate(schema.user_create_v2, user)
user = self._normalize_OSKSADM_password_on_request(user)
user = self.normalize_username_in_request(user)
user = self._normalize_dict(user)
self.assert_admin(request)
default_project_id = user.pop('tenantId', None)
if default_project_id is not None:
# Check to see if the project is valid before moving on.
self.resource_api.get_project(default_project_id)
user['default_project_id'] = default_project_id
self.resource_api.ensure_default_domain_exists()
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(request, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
new_user_ref['id'])
return {'user': new_user_ref}
def update_consumer(self, request, consumer_id, consumer):
validation.lazy_validate(schema.consumer_update, consumer)
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
def create_user(self, request, user):
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(request.context_dict, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_user(ref, initiator)
return UserV3.wrap_member(request.context_dict, ref)
def create_endpoint(self, request, endpoint):
utils.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
def create_project(self, context, project):
ref = self._assign_unique_id(self._normalize_dict(project))
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
return ProjectV3.wrap_member(context, ref)
def delete_consumer(self, context, consumer_id):
user_token_ref = utils.get_token_ref(context)
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
self.oauth_api.delete_consumer(consumer_id, initiator)
def create_project(self, context, project):
LOG.warn("Monkypatch in action! Hacking the new project id to equal "
"the new project name.")
ref = self._assign_unique_id(self._normalize_dict(project))
if not ref.get('is_domain'):
ref = self._normalize_domain_id(context, ref)
# This is the only line that's different
ref['id'] = project['name']
# Our API requires that you specify the location in the hierarchy
# unambiguously. This could be by parent_id or, if it is a top level
# project, just by providing a domain_id.
if not ref.get('parent_id'):
ref['parent_id'] = ref.get('domain_id')
initiator = notifications._get_request_audit_info(context)
try:
ref = self.resource_api.create_project(ref['id'],
ref,
initiator=initiator)
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
raise exception.ValidationError(e)
return resource_controllers.ProjectV3.wrap_member(context, ref)
def create_group(self, context, group):
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.create_group(ref, initiator)
return GroupV3.wrap_member(context, ref)
def update_group(self, request, group_id, group):
validation.lazy_validate(schema.group_update, group)
self._require_matching_id(group_id, group)
self._require_matching_domain_id(group_id, group,
self.identity_api.get_group)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.update_group(group_id, group, initiator)
return GroupV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, request, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
consumer_id = access_token['consumer_id']
payload = {'user_id': user_id, 'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(request.context_dict)
return self.oauth_api.delete_access_token(
user_id, access_token_id, initiator)
def create_endpoint(self, request, endpoint):
validation.lazy_validate(schema.endpoint_create, endpoint)
utils.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, context, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
consumer_id = access_token['consumer_id']
payload = {'user_id': user_id, 'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
return self.oauth_api.delete_access_token(
user_id, access_token_id, initiator)
def create_group(self, request, group):
validation.lazy_validate(schema.group_create, group)
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_group(ref, initiator)
return GroupV3.wrap_member(request.context_dict, ref)
def create_group(self, request, group):
validation.lazy_validate(schema.group_create, group)
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_group(ref, initiator)
return GroupV3.wrap_member(request.context_dict, ref)
def delete_policy(self, context, policy_id):
initiator = notifications._get_request_audit_info(context)
rules_ref = self.rule_api.list_rules_in_policy(policy_id)
if rules_ref:
for rule_ref in rules_ref:
self.rule_api.delete_rule(rule_ref['id'], initiator)
return self.policy_api.delete_policy(policy_id, initiator)
def update_group(self, request, group_id, group):
validation.lazy_validate(schema.group_update, group)
self._require_matching_id(group_id, group)
self._require_matching_domain_id(
group_id, group, self.identity_api.get_group)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.update_group(group_id, group, initiator)
return GroupV3.wrap_member(request.context_dict, ref)
def update_project(self, context, project_id, project):
self._require_matching_id(project_id, project)
self._require_matching_domain_id(
project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(context)
ref = self.resource_api.update_project(project_id, project,
initiator=initiator)
return ProjectV3.wrap_member(context, ref)
def update_project(self, context, project_id, project):
self._require_matching_id(project_id, project)
self._require_matching_domain_id(
project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(context)
ref = self.resource_api.update_project(project_id, project,
initiator=initiator)
return ProjectV3.wrap_member(context, ref)
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
initiator = notifications._get_request_audit_info(context)
self.trust_api.delete_trust(trust_id, initiator)
def update_project(self, request, tenant_id, tenant):
validation.lazy_validate(schema.tenant_update, tenant)
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant_ref = self.resource_api.update_project(
tenant_id, tenant, initiator)
return {'tenant': self.v3_to_v2_project(tenant_ref)}
def update_project(self, request, tenant_id, tenant):
validation.lazy_validate(schema.tenant_update, tenant)
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant_ref = self.resource_api.update_project(tenant_id, tenant,
initiator)
return {'tenant': self.v3_to_v2_project(tenant_ref)}
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
initiator = notifications._get_request_audit_info(context)
self.trust_api.delete_trust(trust_id, initiator)
def update_endpoint(self, context, endpoint_id, endpoint):
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(), context)
initiator = notifications._get_request_audit_info(context)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
return EndpointV3.wrap_member(context, ref)
def delete_trust(self, request, trust_id):
trust = self.trust_api.get_trust(trust_id)
if (request.context.user_id != trust.get('trustor_user_id')
and not request.context.is_admin):
raise exception.Forbidden()
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
def create_user(self, context, user):
self._require_attribute(user, 'name')
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.create_user(ref, initiator)
return User.wrap_member(context, ref)
def delete_trust(self, request, trust_id):
trust = self.trust_api.get_trust(trust_id)
if (request.context.user_id != trust.get('trustor_user_id') and
not request.context.is_admin):
raise exception.Forbidden()
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
def update_endpoint(self, context, endpoint_id, endpoint):
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(), context)
initiator = notifications._get_request_audit_info(context)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
return EndpointV3.wrap_member(context, ref)
def create_service(self, context, OS_KSADM_service):
self.assert_admin(context)
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(context)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
return {'OS-KSADM:service': new_service_ref}
def create_service(self, request, OS_KSADM_service):
self.assert_admin(request.context_dict)
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(request.context_dict)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
return {'OS-KSADM:service': new_service_ref}
def create_request_token(self, request):
oauth_headers = oauth1.get_oauth_headers(request.headers)
consumer_id = oauth_headers.get('oauth_consumer_key')
requested_project_id = request.headers.get('Requested-Project-Id')
if not consumer_id:
raise exception.ValidationError(
attribute='oauth_consumer_key', target='request')
if not requested_project_id:
raise exception.ValidationError(
attribute='requested_project_id', target='request')
# NOTE(stevemar): Ensure consumer and requested project exist
self.resource_api.get_project(requested_project_id)
self.oauth_api.get_consumer(consumer_id)
url = self.base_url(request.context_dict, request.context_dict['path'])
req_headers = {'Requested-Project-Id': requested_project_id}
req_headers.update(request.headers)
request_verifier = oauth1.RequestTokenEndpoint(
request_validator=validator.OAuthValidator(),
token_generator=oauth1.token_generator)
h, b, s = request_verifier.create_request_token_response(
url,
http_method='POST',
body=request.params,
headers=req_headers)
if (not b) or int(s) > 399:
msg = _('Invalid signature')
raise exception.Unauthorized(message=msg)
request_token_duration = CONF.oauth1.request_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_request_token(consumer_id,
requested_project_id,
request_token_duration,
initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],
'secret': token_ref['request_secret']})
if CONF.oauth1.request_token_duration:
expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
result += expiry_bit
headers = [('Content-Type', 'application/x-www-form-urlencoded')]
response = wsgi.render_response(
result,
status=(http_client.CREATED,
http_client.responses[http_client.CREATED]),
headers=headers)
return response
def create_request_token(self, request):
oauth_headers = oauth1.get_oauth_headers(request.headers)
consumer_id = oauth_headers.get('oauth_consumer_key')
requested_project_id = request.headers.get('Requested-Project-Id')
if not consumer_id:
raise exception.ValidationError(
attribute='oauth_consumer_key', target='request')
if not requested_project_id:
raise exception.ValidationError(
attribute='requested_project_id', target='request')
# NOTE(stevemar): Ensure consumer and requested project exist
self.resource_api.get_project(requested_project_id)
self.oauth_api.get_consumer(consumer_id)
url = self.base_url(request.context_dict, request.context_dict['path'])
req_headers = {'Requested-Project-Id': requested_project_id}
req_headers.update(request.headers)
request_verifier = oauth1.RequestTokenEndpoint(
request_validator=validator.OAuthValidator(),
token_generator=oauth1.token_generator)
h, b, s = request_verifier.create_request_token_response(
url,
http_method='POST',
body=request.params,
headers=req_headers)
if (not b) or int(s) > 399:
msg = _('Invalid signature')
raise exception.Unauthorized(message=msg)
request_token_duration = CONF.oauth1.request_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_request_token(consumer_id,
requested_project_id,
request_token_duration,
initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],
'secret': token_ref['request_secret']})
if CONF.oauth1.request_token_duration:
expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at']
result += expiry_bit
headers = [('Content-Type', 'application/x-www-urlformencoded')]
response = wsgi.render_response(
result,
status=(http_client.CREATED,
http_client.responses[http_client.CREATED]),
headers=headers)
return response
def update_project(self, request, project_id, project):
validation.lazy_validate(schema.project_update, project)
self._require_matching_id(project_id, project)
self._require_matching_domain_id(project_id, project,
self.resource_api.get_project)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_project(project_id,
project,
initiator=initiator)
return ProjectV3.wrap_member(request.context_dict, ref)
def create_service(self, request, OS_KSADM_service):
validation.lazy_validate(schema.service_create_v2, OS_KSADM_service)
self.assert_admin(request)
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(request.context_dict)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
return {'OS-KSADM:service': new_service_ref}
def create_region(self, context, region):
ref = self._normalize_dict(region)
if not ref.get('id'):
ref = self._assign_unique_id(ref)
initiator = notifications._get_request_audit_info(context)
ref = self.catalog_api.create_region(ref, initiator)
return wsgi.render_response(RegionV3.wrap_member(context, ref),
status=(201, 'Created'))
def delete_consumer(self, context, consumer_id):
user_token_ref = token_model.KeystoneToken(
token_id=context['token_id'],
token_data=self.token_provider_api.validate_token(
context['token_id']))
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
self.oauth_api.delete_consumer(consumer_id, initiator)
def update_endpoint(self, request, endpoint_id, endpoint):
validation.lazy_validate(schema.endpoint_update, endpoint)
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(),
request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
def create_project(self, context, project):
ref = self._assign_unique_id(self._normalize_dict(project))
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
try:
ref = self.resource_api.create_project(ref['id'],
ref,
initiator=initiator)
except exception.DomainNotFound as e:
raise exception.ValidationError(e)
return ProjectV3.wrap_member(context, ref)
