def test_tenant_list_caching(self):
projects = [self.data.project_two, self.data.project_one]
expected_projects = [self.data.project_one, self.data.project_two]
user = self.data.user
unscoped = self.data.unscoped_access_info
self._mock_unscoped_client_with_token(user, unscoped)
self._mock_unscoped_list_projects(user, projects)
self.mox.ReplayAll()
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(project_list, expected_projects)
# Test to validate that requesting the project list again results
# to using the cache and will not make a Keystone call.
self.assertEqual(utils._PROJECT_CACHE.get(unscoped.auth_token),
expected_projects)
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(project_list, expected_projects)
utils.remove_project_cache(unscoped.auth_token)
self.assertIsNone(utils._PROJECT_CACHE.get(unscoped.auth_token))
def _update_project_members(self, request, data, project_id):
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(request,
_('Failed to add %(users_to_add)s project '
'members%(group_msg)s and set project quotas.')
% {'users_to_add': users_to_add,
'group_msg': group_msg})
finally:
auth_utils.remove_project_cache(request.user.token.unscoped_token)
def test_tenant_list_caching(self):
projects = [self.data.project_two, self.data.project_one]
expected_projects = [self.data.project_one, self.data.project_two]
user = self.data.user
unscoped = self.data.unscoped_access_info
client = self._mock_unscoped_client_with_token(user, unscoped)
self._mock_unscoped_list_projects(client, user, projects)
self.mox.ReplayAll()
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token)
self.assertEqual(project_list, expected_projects)
# Test to validate that requesting the project list again results
# to using the cache and will not make a Keystone call.
self.assertEqual(utils._PROJECT_CACHE.get(unscoped.auth_token),
expected_projects)
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token)
self.assertEqual(project_list, expected_projects)
utils.remove_project_cache(unscoped.auth_token)
self.assertIsNone(utils._PROJECT_CACHE.get(unscoped.auth_token))
def _update_project_members(self, request, data, project_id):
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(request,
_('Failed to add %(users_to_add)s project '
'members%(group_msg)s and set project quotas.')
% {'users_to_add': users_to_add,
'group_msg': group_msg})
finally:
auth_utils.remove_project_cache(request.user.token.id)
def _update_project_members(self, request, user_id, project_id, default_role_id=None):
try:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=default_role_id)
except Exception:
exceptions.handle(request,
_('Failed to add user %s to project %s with role %s.')
% (user_id, project_id, default_role_id))
raise
finally:
auth_utils.remove_project_cache(request.user.token.id)
def test_tenant_list_caching(self):
projects = [self.data.project_two, self.data.project_one]
expected_projects = [self.data.project_one, self.data.project_two]
user = self.data.user
unscoped = self.data.unscoped_access_info
self.mox.StubOutWithMock(self.ks_client_module, "Client")
self.mox.StubOutWithMock(self.keystone_client_unscoped.projects,
"list")
self.ks_client_module.Client(user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)\
.AndReturn(self.keystone_client_unscoped)
self.keystone_client_unscoped.projects.list(user=user.id) \
.AndReturn(projects)
self.mox.ReplayAll()
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(project_list, expected_projects)
# Test to validate that requesting the project list again results
# to using the cache and will not make a Keystone call.
self.assertEqual(utils._PROJECT_CACHE.get(unscoped.auth_token),
expected_projects)
project_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(project_list, expected_projects)
utils.remove_project_cache(unscoped.auth_token)
self.assertIsNone(utils._PROJECT_CACHE.get(unscoped.auth_token))
def delete_token(endpoint, token_id):
"""Delete a token."""
utils.remove_project_cache(token_id)
try:
endpoint = utils.fix_auth_url_version(endpoint)
session = utils.get_session()
auth_plugin = token_endpoint.Token(endpoint=endpoint, token=token_id)
client = utils.get_keystone_client().Client(session=session, auth=auth_plugin)
if utils.get_keystone_version() >= 3:
client.tokens.revoke_token(token=token_id)
else:
client.tokens.delete(token=token_id)
LOG.info("Deleted token %s" % token_id)
except keystone_exceptions.ClientException:
LOG.info("Could not delete token")
def test_tenant_list_caching(self):
tenants = [self.data.tenant_two, self.data.tenant_one]
expected_tenants = [self.data.tenant_one, self.data.tenant_two]
user = self.data.user
unscoped = self.data.unscoped_access_info
self.mox.StubOutWithMock(self.ks_client_module, "Client")
self.mox.StubOutWithMock(self.keystone_client_unscoped.tenants, "list")
self.ks_client_module.Client(user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)\
.AndReturn(self.keystone_client_unscoped)
self.keystone_client_unscoped.tenants.list().AndReturn(tenants)
self.mox.ReplayAll()
tenant_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(tenant_list, expected_tenants)
# Test to validate that requesting the project list again results
# to using the cache and will not make a Keystone call.
self.assertEqual(utils._PROJECT_CACHE.get(unscoped.auth_token),
expected_tenants)
tenant_list = utils.get_project_list(
user_id=user.id,
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=unscoped.auth_token,
insecure=False,
cacert=None,
debug=False)
self.assertEqual(tenant_list, expected_tenants)
utils.remove_project_cache(unscoped.auth_token)
self.assertIsNone(utils._PROJECT_CACHE.get(unscoped.auth_token))
def delete_token(endpoint, token_id):
"""Delete a token."""
utils.remove_project_cache(token_id)
try:
endpoint = utils.fix_auth_url_version(endpoint)
session = utils.get_session()
auth_plugin = token_endpoint.Token(endpoint=endpoint, token=token_id)
client = utils.get_keystone_client().Client(session=session,
auth=auth_plugin)
if utils.get_keystone_version() >= 3:
client.tokens.revoke_token(token=token_id)
else:
client.tokens.delete(token=token_id)
LOG.info('Deleted token %s' % token_id)
except keystone_exceptions.ClientException:
LOG.info('Could not delete token')
def delete_token(endpoint, token_id):
"""Delete a token."""
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None)
utils.remove_project_cache(token_id)
try:
if utils.get_keystone_version() < 3:
client = keystone_client_v2.Client(endpoint=endpoint,
token=token_id,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
client.tokens.delete(token=token_id)
LOG.info('Deleted token %s' % token_id)
else:
# FIXME: KS-client does not have delete token available
# Need to add this later when it is exposed.
pass
except keystone_exceptions.ClientException:
LOG.info('Could not delete token')
def delete_token(endpoint, token_id):
"""Delete a token."""
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None)
utils.remove_project_cache(token_id)
try:
if utils.get_keystone_version() < 3:
client = keystone_client_v2.Client(
endpoint=endpoint,
token=token_id,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG
)
client.tokens.delete(token=token_id)
LOG.info('Deleted token %s' % token_id)
else:
# FIXME: KS-client does not have delete token available
# Need to add this later when it is exposed.
pass
except keystone_exceptions.ClientException:
LOG.info('Could not delete token')
def _add_project_user_role(self, request, project_id):
try:
role_list = {role.name: role.id
for role in project_identity.role_list(request)}
user = auth_utils.get_user(request)
role_name_list = [role['name'] for role in user.roles]
for role_name in role_name_list:
if role_name in getattr(nec_set,
'DISINHERITED_ROLES', []):
continue
project_identity.add_project_user_role(
request,
project=project_id,
user=user,
role=role_list.get(role_name))
return True
except Exception:
exceptions.handle(request, ignore=True)
return False
finally:
auth_utils.remove_project_cache(request.user.token.id)
def _update_project_members(self, request, data, project_id):
# update project members
users_to_modify = 0
# Project-user member step
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
try:
# Get our role options
available_roles = self._get_available_roles(request)
# Get the users currently associated with this project so we
# can diff against it.
users_roles = api.keystone.get_project_users_roles(
request, project=project_id)
users_to_modify = len(users_roles)
for user_id in users_roles.keys():
# Check if there have been any changes in the roles of
# Existing project members.
current_role_ids = list(users_roles[user_id])
modified_role_ids = self._add_roles_to_users(
request, data, project_id, user_id,
current_role_ids, available_roles)
# Prevent admins from doing stupid things to themselves.
removing_admin = self._is_removing_self_admin_role(
request, project_id, user_id, available_roles,
modified_role_ids)
# Otherwise go through and revoke any removed roles.
if not removing_admin:
self._remove_roles_from_user(request, project_id, user_id,
modified_role_ids)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many users may be added for exception handling.
users_to_modify += len(data[field_name])
for role in available_roles:
users_added = 0
field_name = member_step.get_member_field_name(role.id)
for user_id in data[field_name]:
if user_id not in users_roles:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
return True
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", update project groups")
else:
group_msg = ""
exceptions.handle(request,
_('Failed to modify %(users_to_modify)s'
' project members%(group_msg)s and '
'update project quotas.')
% {'users_to_modify': users_to_modify,
'group_msg': group_msg})
return False
finally:
auth_utils.remove_project_cache(request.user.token.unscoped_token)
def _update_project_members(self, request, data, project_id):
# update project members
users_to_modify = 0
# Project-user member step
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
try:
# Get our role options
available_roles = self._get_available_roles(request)
# Get the users currently associated with this project so we
# can diff against it.
users_roles = api.keystone.get_project_users_roles(
request, project=project_id)
users_to_modify = len(users_roles)
for user_id in users_roles.keys():
# Check if there have been any changes in the roles of
# Existing project members.
current_role_ids = list(users_roles[user_id])
modified_role_ids = self._add_roles_to_users(
request, data, project_id, user_id, current_role_ids,
available_roles)
# Prevent admins from doing stupid things to themselves.
removing_admin = self._is_removing_self_admin_role(
request, project_id, user_id, available_roles,
modified_role_ids)
# Otherwise go through and revoke any removed roles.
if not removing_admin:
self._remove_roles_from_user(request, project_id, user_id,
modified_role_ids)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many users may be added for exception handling.
users_to_modify += len(data[field_name])
for role in available_roles:
users_added = 0
field_name = member_step.get_member_field_name(role.id)
for user_id in data[field_name]:
if user_id not in users_roles:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
return True
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", update project groups")
else:
group_msg = ""
exceptions.handle(
request,
_('Failed to modify %(users_to_modify)s'
' project members%(group_msg)s and '
'update project quotas.') % {
'users_to_modify': users_to_modify,
'group_msg': group_msg
})
return False
finally:
auth_utils.remove_project_cache(request.user.token.id)
def handle(self, table, request, obj_ids):
response = \
super(DeleteTenantsAction, self).handle(table, request, obj_ids)
auth_utils.remove_project_cache(request.user.token.id)
return response
def handle(self, table, request, obj_ids):
response = \
super(DeleteTenantsAction, self).handle(table, request, obj_ids)
auth_utils.remove_project_cache(request.user.token.unscoped_token)
return response
