def test_set_and_get_keyring_expired(self):
# Creating a HTTPClient not using session is deprecated.
with self.deprecations.expect_deprecations_here():
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
project_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# set an expired token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
expired = timeutils.utcnow() - datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = client_utils.isotime(expired)
self.memory_keyring.password = pickle.dumps(auth_ref)
# stub and check that a new token is received, so not using expired
method = 'get_raw_token_from_identity_service'
with mock.patch.object(cl, method) as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
self.assertEqual(1, meth.call_count)
# check that a value was returned from the keyring
self.assertTrue(self.memory_keyring.fetched)
# check that the new token has been loaded into the keyring
new_auth_ref = pickle.loads(self.memory_keyring.password)
self.assertEqual(new_auth_ref['token']['expires'],
PROJECT_SCOPED_TOKEN['access']['token']['expires'])
def test_set_and_get_keyring_expired(self):
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
project_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# set an expired token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
expired = timeutils.utcnow() - datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = client_utils.isotime(expired)
self.memory_keyring.password = pickle.dumps(auth_ref)
# stub and check that a new token is received, so not using expired
method = 'get_raw_token_from_identity_service'
with mock.patch.object(cl, method) as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
self.assertEqual(1, meth.call_count)
# check that a value was returned from the keyring
self.assertTrue(self.memory_keyring.fetched)
# check that the new token has been loaded into the keyring
new_auth_ref = pickle.loads(self.memory_keyring.password)
self.assertEqual(new_auth_ref['token']['expires'],
PROJECT_SCOPED_TOKEN['access']['token']['expires'])
def create(self,
name,
user=None,
secret=None,
description=None,
expires_at=None,
roles=None,
unrestricted=False,
**kwargs):
"""Create a credential.
:param string name: application credential name
:param string user: User ID
:param secret: application credential secret
:param description: application credential description
:param datetime.datetime expires_at: expiry time
:param List roles: list of roles on the project. Maybe a list of IDs
or a list of dicts specifying role name and domain
:param bool unrestricted: whether the application credential has
restrictions applied
:returns: the created application credential
:rtype:
:class:`keystoneclient.v3.application_credentials.ApplicationCredential`
"""
user = user or self.client.user_id
self.base_url = '/users/%(user)s' % {'user': user}
# Convert roles list into list-of-dict API format
role_list = []
if roles:
if not isinstance(roles, list):
roles = [roles]
for role in roles:
if isinstance(role, six.string_types):
role_list.extend([{'id': role}])
elif isinstance(role, dict):
role_list.extend([role])
else:
msg = (_("Roles must be a list of IDs or role dicts."))
raise exceptions.CommandError(msg)
if not role_list:
role_list = None
# Convert datetime.datetime expires_at to iso format string
if expires_at:
expires_str = utils.isotime(at=expires_at, subsecond=True)
else:
expires_str = None
return super(ApplicationCredentialManager,
self).create(name=name,
secret=secret,
description=description,
expires_at=expires_str,
roles=role_list,
unrestricted=unrestricted,
**kwargs)
def to_dict(self):
keys = ['user_id', 'role_id', 'domain_id', 'project_id']
event = dict((key, self.__dict__[key]) for key in keys
if self.__dict__[key] is not None)
if self.trust_id is not None:
event['OS-TRUST:trust_id'] = self.trust_id
if self.consumer_id is not None:
event['OS-OAUTH1:consumer_id'] = self.consumer_id
if self.consumer_id is not None:
event['OS-OAUTH1:access_token_id'] = self.access_token_id
if self.expires_at is not None:
event['expires_at'] = utils.isotime(self.expires_at,
subsecond=True)
if self.issued_before is not None:
event['issued_before'] = utils.isotime(self.issued_before,
subsecond=True)
return event
def to_dict(self):
keys = ['user_id',
'role_id',
'domain_id',
'project_id']
event = dict((key, self.__dict__[key]) for key in keys
if self.__dict__[key] is not None)
if self.trust_id is not None:
event['OS-TRUST:trust_id'] = self.trust_id
if self.consumer_id is not None:
event['OS-OAUTH1:consumer_id'] = self.consumer_id
if self.consumer_id is not None:
event['OS-OAUTH1:access_token_id'] = self.access_token_id
if self.expires_at is not None:
event['expires_at'] = utils.isotime(self.expires_at,
subsecond=True)
if self.issued_before is not None:
event['issued_before'] = utils.isotime(self.issued_before,
subsecond=True)
return event
def create(self,
trustee_user,
trustor_user,
role_names=None,
role_ids=None,
project=None,
impersonation=False,
expires_at=None,
remaining_uses=None,
**kwargs):
"""Create a Trust.
:param string trustee_user: user who is capable of consuming the trust
:param string trustor_user: user who's authorization is being delegated
:param string role_names: subset of trustor's roles to be granted
:param string role_ids: subset of trustor's roles to be granted
:param string project: project which the trustor is delegating
:param boolean impersonation: enable explicit impersonation
:param datetime.datetime expires_at: expiry time
:param integer remaining_uses: how many times this trust can be used
to generate a token. None means
unlimited tokens.
"""
# Convert role_names list into list-of-dict API format
roles = []
if role_names:
roles.extend([{'name': n} for n in role_names])
if role_ids:
roles.extend([{'id': i} for i in role_ids])
if not roles:
roles = None
# Convert datetime.datetime expires_at to iso format string
if expires_at:
expires_str = utils.isotime(at=expires_at, subsecond=True)
else:
expires_str = None
return super(TrustManager,
self).create(expires_at=expires_str,
impersonation=impersonation,
project_id=base.getid(project),
remaining_uses=remaining_uses,
roles=roles,
trustee_user_id=base.getid(trustee_user),
trustor_user_id=base.getid(trustor_user),
**kwargs)
def test_get_keyring(self):
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
tenant_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# set an token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
future = timeutils.utcnow() + datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = client_utils.isotime(future)
self.memory_keyring.password = pickle.dumps(auth_ref)
# don't stub get_raw_token so will fail if authenticate happens
self.assertTrue(cl.authenticate())
self.assertTrue(self.memory_keyring.fetched)
def test_get_keyring(self):
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
project_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# set an token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
future = timeutils.utcnow() + datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = client_utils.isotime(future)
self.memory_keyring.password = pickle.dumps(auth_ref)
# don't stub get_raw_token so will fail if authenticate happens
self.assertTrue(cl.authenticate())
self.assertTrue(self.memory_keyring.fetched)
def create(self, trustee_user, trustor_user, role_names=None,
role_ids=None, project=None, impersonation=False,
expires_at=None, remaining_uses=None, **kwargs):
"""Create a Trust.
:param string trustee_user: user who is capable of consuming the trust
:param string trustor_user: user who's authorization is being delegated
:param string role_names: subset of trustor's roles to be granted
:param string role_ids: subset of trustor's roles to be granted
:param string project: project which the trustor is delegating
:param boolean impersonation: enable explicit impersonation
:param datetime.datetime expires_at: expiry time
:param integer remaining_uses: how many times this trust can be used
to generate a token. None means
unlimited tokens.
"""
# Convert role_names list into list-of-dict API format
roles = []
if role_names:
roles.extend([{'name': n} for n in role_names])
if role_ids:
roles.extend([{'id': i} for i in role_ids])
if not roles:
roles = None
# Convert datetime.datetime expires_at to iso format string
if expires_at:
expires_str = utils.isotime(at=expires_at, subsecond=True)
else:
expires_str = None
return super(TrustManager, self).create(
expires_at=expires_str,
impersonation=impersonation,
project_id=base.getid(project),
remaining_uses=remaining_uses,
roles=roles,
trustee_user_id=base.getid(trustee_user),
trustor_user_id=base.getid(trustor_user),
**kwargs)
def expires(self, value):
self.expires_str = utils.isotime(value, subsecond=True)
def expires(self, value):
self.expires_str = utils.isotime(value)
def updated(self, value):
self.updated_str = utils.isotime(value)
def issued(self, value):
self.issued_str = utils.isotime(value)
def issued(self, value):
self.issued_str = utils.isotime(value)
def expires(self, value):
self.expires_str = utils.isotime(value)
def issued(self, value):
self.issued_str = utils.isotime(value, subsecond=True)
def updated(self, value):
self.updated_str = utils.isotime(value)
def issued(self, value):
self.issued_str = utils.isotime(value, subsecond=True)
def expires(self, value):
self.expires_str = utils.isotime(value, subsecond=True)
