def update_group(self, context, group_id, group): self._require_matching_id(group_id, group) self._require_matching_domain_id( group_id, group, self.identity_api.get_group) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.update_group(group_id, group, initiator) return GroupV3.wrap_member(context, ref)
def create_user(self, request, user): validation.lazy_validate(schema.user_create_v2, user) user = self._normalize_OSKSADM_password_on_request(user) user = self.normalize_username_in_request(user) user = self._normalize_dict(user) self.assert_admin(request) default_project_id = user.pop('tenantId', None) if default_project_id is not None: # Check to see if the project is valid before moving on. self.resource_api.get_project(default_project_id) user['default_project_id'] = default_project_id self.resource_api.ensure_default_domain_exists() # The manager layer will generate the unique ID for users user_ref = self._normalize_domain_id(request, user.copy()) initiator = notifications._get_request_audit_info(request.context_dict) new_user_ref = self.v3_to_v2_user( self.identity_api.create_user(user_ref, initiator)) if default_project_id is not None: self.assignment_api.add_user_to_project(default_project_id, new_user_ref['id']) return {'user': new_user_ref}
def create_group(self, context, group): # The manager layer will generate the unique ID for groups ref = self._normalize_dict(group) ref = self._normalize_domain_id(context, ref) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.create_group(ref, initiator) return GroupV3.wrap_member(context, ref)
def update_consumer(self, request, consumer_id, consumer): validation.lazy_validate(schema.consumer_update, consumer) self._require_matching_id(consumer_id, consumer) ref = self._normalize_dict(consumer) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.oauth_api.update_consumer(consumer_id, ref, initiator) return ConsumerCrudV3.wrap_member(request.context_dict, ref)
def _update_user(self, context, user_id, user): self._require_matching_id(user_id, user) self._require_matching_domain_id(user_id, user, self.identity_api.get_user) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.update_user(user_id, user, initiator) return UserV3.wrap_member(context, ref)
def create_user(self, request, user): # The manager layer will generate the unique ID for users ref = self._normalize_dict(user) ref = self._normalize_domain_id(request.context_dict, ref) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.identity_api.create_user(ref, initiator) return UserV3.wrap_member(request.context_dict, ref)
def create_user(self, context, user): user = self._normalize_OSKSADM_password_on_request(user) user = self.normalize_username_in_request(user) user = self._normalize_dict(user) self.assert_admin(context) if 'name' not in user or not user['name']: msg = _('Name field is required and cannot be empty') raise exception.ValidationError(message=msg) if 'enabled' in user and not isinstance(user['enabled'], bool): msg = _('Enabled field must be a boolean') raise exception.ValidationError(message=msg) default_project_id = user.pop('tenantId', None) if default_project_id is not None: # Check to see if the project is valid before moving on. self.resource_api.get_project(default_project_id) user['default_project_id'] = default_project_id self.resource_api.ensure_default_domain_exists() # The manager layer will generate the unique ID for users user_ref = self._normalize_domain_id(context, user.copy()) initiator = notifications._get_request_audit_info(context) new_user_ref = self.v3_to_v2_user( self.identity_api.create_user(user_ref, initiator)) if default_project_id is not None: self.assignment_api.add_user_to_project(default_project_id, new_user_ref['id']) return {'user': new_user_ref}
def create_project(self, context, project): ref = self._assign_unique_id(self._normalize_dict(project)) ref = self._normalize_domain_id(context, ref) initiator = notifications._get_request_audit_info(context) ref = self.resource_api.create_project(ref['id'], ref, initiator=initiator) return ProjectV3.wrap_member(context, ref)
def create_project_patched(self, request, project): validation.lazy_validate(schema.project_create, project) ref = self._assign_unique_id(self._normalize_dict(project)) if not ref.get('is_domain'): ref = self._normalize_domain_id(request, ref) LOG.warn( "Monkypatch in action! " "Hacking the new project id to equal the new project name.") ref['id'] = project['name'] # Our API requires that you specify the location in the hierarchy # unambiguously. This could be by parent_id or, if it is a top level # project, just by providing a domain_id. if not ref.get('parent_id'): ref['parent_id'] = ref.get('domain_id') initiator = notifications._get_request_audit_info(request.context_dict) try: ref = self.resource_api.create_project(ref['id'], ref, initiator=initiator) except (exception.DomainNotFound, exception.ProjectNotFound) as e: raise exception.ValidationError(e) return resource_controllers.ProjectV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, context, user_id, access_token_id): access_token = self.oauth_api.get_access_token(access_token_id) consumer_id = access_token["consumer_id"] payload = {"user_id": user_id, "consumer_id": consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) initiator = notifications._get_request_audit_info(context) return self.oauth_api.delete_access_token(user_id, access_token_id, initiator)
def create_endpoint(self, context, endpoint): core.check_endpoint_url(endpoint['url']) ref = self._assign_unique_id(self._normalize_dict(endpoint)) ref = self._validate_endpoint_region(ref, context) initiator = notifications._get_request_audit_info(context) ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator) return EndpointV3.wrap_member(context, ref)
def _update_user(self, context, user_id, user): self._require_matching_id(user_id, user) self._require_matching_domain_id( user_id, user, self.identity_api.get_user) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.update_user(user_id, user, initiator) return UserV3.wrap_member(context, ref)
def delete_consumer(self, context, consumer_id): user_token_ref = utils.get_token_ref(context) payload = {'user_id': user_token_ref.user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) initiator = notifications._get_request_audit_info(context) self.oauth_api.delete_consumer(consumer_id, initiator)
def create_user(self, request, user): user = self._normalize_OSKSADM_password_on_request(user) user = self.normalize_username_in_request(user) user = self._normalize_dict(user) self.assert_admin(request) if 'name' not in user or not user['name']: msg = _('Name field is required and cannot be empty') raise exception.ValidationError(message=msg) if 'enabled' in user and not isinstance(user['enabled'], bool): msg = _('Enabled field must be a boolean') raise exception.ValidationError(message=msg) default_project_id = user.pop('tenantId', None) if default_project_id is not None: # Check to see if the project is valid before moving on. self.resource_api.get_project(default_project_id) user['default_project_id'] = default_project_id self.resource_api.ensure_default_domain_exists() # The manager layer will generate the unique ID for users user_ref = self._normalize_domain_id(request, user.copy()) initiator = notifications._get_request_audit_info(request.context_dict) new_user_ref = self.v3_to_v2_user( self.identity_api.create_user(user_ref, initiator)) if default_project_id is not None: self.assignment_api.add_user_to_project(default_project_id, new_user_ref['id']) return {'user': new_user_ref}
def create_trust(self, request, trust): """Create a new trust. The user creating the trust must be the trustor. """ validation.lazy_validate(schema.trust_create, trust) redelegated_trust = self._find_redelegated_trust(request) if trust.get('project_id') and not trust.get('roles'): msg = _('At least one role should be specified.') raise exception.Forbidden(msg) # the creating user must be the trustor if request.context.user_id != trust.get('trustor_user_id'): msg = _("The authenticated user should match the trustor.") raise exception.Forbidden(msg) # ensure trustee exists self.identity_api.get_user(trust['trustee_user_id']) # Normalize roles normalized_roles = self._normalize_role_list(trust.get('roles', [])) trust['roles'] = normalized_roles self._require_trustor_has_role_in_project(trust) trust['expires_at'] = self._parse_expiration_date( trust.get('expires_at')) trust_id = uuid.uuid4().hex initiator = notifications._get_request_audit_info(request.context_dict) new_trust = self.trust_api.create_trust(trust_id, trust, normalized_roles, redelegated_trust, initiator) self._fill_in_roles(request.context_dict, new_trust) return TrustV3.wrap_member(request.context_dict, new_trust)
def update_project(self, request, project_id, project): validation.lazy_validate(schema.project_update, project) self._require_matching_id(project_id, project) self._require_matching_domain_id(project_id, project, self.resource_api.get_project) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.resource_api.update_project(project_id, project, initiator=initiator) return ProjectV3.wrap_member(request.context_dict, ref)
def update_role(self, context, role_id, role): self._require_matching_id(role_id, role) self._require_matching_domain_id( role_id, role, self.role_api.get_role) initiator = notifications._get_request_audit_info(context) ref = self.role_api.update_role(role_id, role, initiator) return Role.wrap_member(context, ref)
def create_policy(self, context, policy): domain_id = policy['domain_id'] count = len(self.policy_api.list_policies_in_domain(domain_id)) if count >= CONF.policy.policy_limit: raise exception.ForbiddenAction('Policy Creation Forbidden: ' 'number of created policy exceeds limit.') if policy.has_key('enabled') and policy['enabled']: policy_ref = self.policy_api.get_enabled_policy_in_domain( domain_id) if policy_ref: raise exception.ForbiddenAction('Policy Creation Forbidden: ' 'number of enabled policy exceeds limit.') rules = policy.pop('rules') # rules is a dict ref = self._assign_unique_id(self._normalize_dict(policy)) initiator = notifications._get_request_audit_info(context) ref = self.policy_api.create_policy(ref['id'], ref, initiator) # create each rule in this policy policy_id = ref['id'] for serv in rules.iterkeys(): # for each service for item in rules[serv].iteritems(): rule = {'policy_id': policy_id, 'service': serv, 'permission': item[0], 'condition': item[1]} rule_ref = self._assign_unique_id(self._normalize_dict(rule)) self.rule_api.create_rule(rule_ref['id'], rule_ref, initiator) return Policy.wrap_member(context, ref)
def update_group(self, context, group_id, group): self._require_matching_id(group_id, group) self._require_matching_domain_id(group_id, group, self.identity_api.get_group) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.update_group(group_id, group, initiator) return GroupV3.wrap_member(context, ref)
def update_consumer(self, context, consumer_id, consumer): self._require_matching_id(consumer_id, consumer) ref = self._normalize_dict(consumer) self._validate_consumer_ref(ref) initiator = notifications._get_request_audit_info(context) ref = self.oauth_api.update_consumer(consumer_id, ref, initiator) return ConsumerCrudV3.wrap_member(context, ref)
def create_trust(self, context, trust): """Create a new trust. The user creating the trust must be the trustor. """ auth_context = context.get("environment", {}).get("KEYSTONE_AUTH_CONTEXT", {}) # Check if delegated via trust if auth_context.get("is_delegated_auth"): # Redelegation case src_trust_id = auth_context["trust_id"] if not src_trust_id: raise exception.Forbidden(_("Redelegation allowed for delegated by trust only")) redelegated_trust = self.trust_api.get_trust(src_trust_id) else: redelegated_trust = None if trust.get("project_id"): self._require_role(trust) self._require_user_is_trustor(context, trust) self._require_trustee_exists(trust["trustee_user_id"]) all_roles = self.role_api.list_roles() # Normalize roles normalized_roles = self._normalize_role_list(trust, all_roles) trust["roles"] = normalized_roles self._require_trustor_has_role_in_project(trust) trust["expires_at"] = self._parse_expiration_date(trust.get("expires_at")) trust_id = uuid.uuid4().hex initiator = notifications._get_request_audit_info(context) new_trust = self.trust_api.create_trust(trust_id, trust, normalized_roles, redelegated_trust, initiator) self._fill_in_roles(context, new_trust, all_roles) return TrustV3.wrap_member(context, new_trust)
def create_endpoint(self, request, endpoint): utils.check_endpoint_url(endpoint['url']) ref = self._assign_unique_id(self._normalize_dict(endpoint)) ref = self._validate_endpoint_region(ref, request.context_dict) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator) return EndpointV3.wrap_member(request.context_dict, ref)
def create_project(self, context, project): LOG.warn("Monkypatch in action! Hacking the new project id to equal " "the new project name.") ref = self._assign_unique_id(self._normalize_dict(project)) if not ref.get('is_domain'): ref = self._normalize_domain_id(context, ref) # This is the only line that's different ref['id'] = project['name'] # Our API requires that you specify the location in the hierarchy # unambiguously. This could be by parent_id or, if it is a top level # project, just by providing a domain_id. if not ref.get('parent_id'): ref['parent_id'] = ref.get('domain_id') initiator = notifications._get_request_audit_info(context) try: ref = self.resource_api.create_project(ref['id'], ref, initiator=initiator) except (exception.DomainNotFound, exception.ProjectNotFound) as e: raise exception.ValidationError(e) return resource_controllers.ProjectV3.wrap_member(context, ref)
def update_group(self, request, group_id, group): validation.lazy_validate(schema.group_update, group) self._require_matching_id(group_id, group) self._require_matching_domain_id(group_id, group, self.identity_api.get_group) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.identity_api.update_group(group_id, group, initiator) return GroupV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, request, user_id, access_token_id): access_token = self.oauth_api.get_access_token(access_token_id) consumer_id = access_token['consumer_id'] payload = {'user_id': user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) initiator = notifications._get_request_audit_info(request.context_dict) return self.oauth_api.delete_access_token( user_id, access_token_id, initiator)
def create_endpoint(self, request, endpoint): validation.lazy_validate(schema.endpoint_create, endpoint) utils.check_endpoint_url(endpoint['url']) ref = self._assign_unique_id(self._normalize_dict(endpoint)) ref = self._validate_endpoint_region(ref, request.context_dict) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator) return EndpointV3.wrap_member(request.context_dict, ref)
def delete_access_token(self, context, user_id, access_token_id): access_token = self.oauth_api.get_access_token(access_token_id) consumer_id = access_token['consumer_id'] payload = {'user_id': user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) initiator = notifications._get_request_audit_info(context) return self.oauth_api.delete_access_token( user_id, access_token_id, initiator)
def create_group(self, request, group): validation.lazy_validate(schema.group_create, group) # The manager layer will generate the unique ID for groups ref = self._normalize_dict(group) ref = self._normalize_domain_id(request, ref) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.identity_api.create_group(ref, initiator) return GroupV3.wrap_member(request.context_dict, ref)
def delete_policy(self, context, policy_id): initiator = notifications._get_request_audit_info(context) rules_ref = self.rule_api.list_rules_in_policy(policy_id) if rules_ref: for rule_ref in rules_ref: self.rule_api.delete_rule(rule_ref['id'], initiator) return self.policy_api.delete_policy(policy_id, initiator)
def update_group(self, request, group_id, group): validation.lazy_validate(schema.group_update, group) self._require_matching_id(group_id, group) self._require_matching_domain_id( group_id, group, self.identity_api.get_group) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.identity_api.update_group(group_id, group, initiator) return GroupV3.wrap_member(request.context_dict, ref)
def update_project(self, context, project_id, project): self._require_matching_id(project_id, project) self._require_matching_domain_id( project_id, project, self.resource_api.get_project) initiator = notifications._get_request_audit_info(context) ref = self.resource_api.update_project(project_id, project, initiator=initiator) return ProjectV3.wrap_member(context, ref)
def delete_trust(self, context, trust_id): trust = self.trust_api.get_trust(trust_id) if not trust: raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _admin_trustor_only(context, trust, user_id) initiator = notifications._get_request_audit_info(context) self.trust_api.delete_trust(trust_id, initiator)
def update_project(self, request, tenant_id, tenant): validation.lazy_validate(schema.tenant_update, tenant) self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) initiator = notifications._get_request_audit_info(request.context_dict) tenant_ref = self.resource_api.update_project( tenant_id, tenant, initiator) return {'tenant': self.v3_to_v2_project(tenant_ref)}
def update_project(self, request, tenant_id, tenant): validation.lazy_validate(schema.tenant_update, tenant) self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) initiator = notifications._get_request_audit_info(request.context_dict) tenant_ref = self.resource_api.update_project(tenant_id, tenant, initiator) return {'tenant': self.v3_to_v2_project(tenant_ref)}
def update_endpoint(self, context, endpoint_id, endpoint): self._require_matching_id(endpoint_id, endpoint) endpoint = self._validate_endpoint_region(endpoint.copy(), context) initiator = notifications._get_request_audit_info(context) ref = self.catalog_api.update_endpoint(endpoint_id, endpoint, initiator) return EndpointV3.wrap_member(context, ref)
def delete_trust(self, request, trust_id): trust = self.trust_api.get_trust(trust_id) if (request.context.user_id != trust.get('trustor_user_id') and not request.context.is_admin): raise exception.Forbidden() initiator = notifications._get_request_audit_info(request.context_dict) self.trust_api.delete_trust(trust_id, initiator)
def create_user(self, context, user): self._require_attribute(user, 'name') # The manager layer will generate the unique ID for users ref = self._normalize_dict(user) ref = self._normalize_domain_id(context, ref) initiator = notifications._get_request_audit_info(context) ref = self.identity_api.create_user(ref, initiator) return User.wrap_member(context, ref)
def create_service(self, context, OS_KSADM_service): self.assert_admin(context) service_id = uuid.uuid4().hex service_ref = OS_KSADM_service.copy() service_ref['id'] = service_id initiator = notifications._get_request_audit_info(context) new_service_ref = self.catalog_api.create_service( service_id, service_ref, initiator) return {'OS-KSADM:service': new_service_ref}
def create_service(self, request, OS_KSADM_service): self.assert_admin(request.context_dict) service_id = uuid.uuid4().hex service_ref = OS_KSADM_service.copy() service_ref['id'] = service_id initiator = notifications._get_request_audit_info(request.context_dict) new_service_ref = self.catalog_api.create_service( service_id, service_ref, initiator) return {'OS-KSADM:service': new_service_ref}
def create_request_token(self, request): oauth_headers = oauth1.get_oauth_headers(request.headers) consumer_id = oauth_headers.get('oauth_consumer_key') requested_project_id = request.headers.get('Requested-Project-Id') if not consumer_id: raise exception.ValidationError( attribute='oauth_consumer_key', target='request') if not requested_project_id: raise exception.ValidationError( attribute='requested_project_id', target='request') # NOTE(stevemar): Ensure consumer and requested project exist self.resource_api.get_project(requested_project_id) self.oauth_api.get_consumer(consumer_id) url = self.base_url(request.context_dict, request.context_dict['path']) req_headers = {'Requested-Project-Id': requested_project_id} req_headers.update(request.headers) request_verifier = oauth1.RequestTokenEndpoint( request_validator=validator.OAuthValidator(), token_generator=oauth1.token_generator) h, b, s = request_verifier.create_request_token_response( url, http_method='POST', body=request.params, headers=req_headers) if (not b) or int(s) > 399: msg = _('Invalid signature') raise exception.Unauthorized(message=msg) request_token_duration = CONF.oauth1.request_token_duration initiator = notifications._get_request_audit_info(request.context_dict) token_ref = self.oauth_api.create_request_token(consumer_id, requested_project_id, request_token_duration, initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], 'secret': token_ref['request_secret']}) if CONF.oauth1.request_token_duration: expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at'] result += expiry_bit headers = [('Content-Type', 'application/x-www-form-urlencoded')] response = wsgi.render_response( result, status=(http_client.CREATED, http_client.responses[http_client.CREATED]), headers=headers) return response
def create_request_token(self, request): oauth_headers = oauth1.get_oauth_headers(request.headers) consumer_id = oauth_headers.get('oauth_consumer_key') requested_project_id = request.headers.get('Requested-Project-Id') if not consumer_id: raise exception.ValidationError( attribute='oauth_consumer_key', target='request') if not requested_project_id: raise exception.ValidationError( attribute='requested_project_id', target='request') # NOTE(stevemar): Ensure consumer and requested project exist self.resource_api.get_project(requested_project_id) self.oauth_api.get_consumer(consumer_id) url = self.base_url(request.context_dict, request.context_dict['path']) req_headers = {'Requested-Project-Id': requested_project_id} req_headers.update(request.headers) request_verifier = oauth1.RequestTokenEndpoint( request_validator=validator.OAuthValidator(), token_generator=oauth1.token_generator) h, b, s = request_verifier.create_request_token_response( url, http_method='POST', body=request.params, headers=req_headers) if (not b) or int(s) > 399: msg = _('Invalid signature') raise exception.Unauthorized(message=msg) request_token_duration = CONF.oauth1.request_token_duration initiator = notifications._get_request_audit_info(request.context_dict) token_ref = self.oauth_api.create_request_token(consumer_id, requested_project_id, request_token_duration, initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], 'secret': token_ref['request_secret']}) if CONF.oauth1.request_token_duration: expiry_bit = '&oauth_expires_at=%s' % token_ref['expires_at'] result += expiry_bit headers = [('Content-Type', 'application/x-www-urlformencoded')] response = wsgi.render_response( result, status=(http_client.CREATED, http_client.responses[http_client.CREATED]), headers=headers) return response
def create_service(self, request, OS_KSADM_service): validation.lazy_validate(schema.service_create_v2, OS_KSADM_service) self.assert_admin(request) service_id = uuid.uuid4().hex service_ref = OS_KSADM_service.copy() service_ref['id'] = service_id initiator = notifications._get_request_audit_info(request.context_dict) new_service_ref = self.catalog_api.create_service( service_id, service_ref, initiator) return {'OS-KSADM:service': new_service_ref}
def create_region(self, context, region): ref = self._normalize_dict(region) if not ref.get('id'): ref = self._assign_unique_id(ref) initiator = notifications._get_request_audit_info(context) ref = self.catalog_api.create_region(ref, initiator) return wsgi.render_response(RegionV3.wrap_member(context, ref), status=(201, 'Created'))
def delete_consumer(self, context, consumer_id): user_token_ref = token_model.KeystoneToken( token_id=context['token_id'], token_data=self.token_provider_api.validate_token( context['token_id'])) payload = {'user_id': user_token_ref.user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) initiator = notifications._get_request_audit_info(context) self.oauth_api.delete_consumer(consumer_id, initiator)
def update_endpoint(self, request, endpoint_id, endpoint): validation.lazy_validate(schema.endpoint_update, endpoint) self._require_matching_id(endpoint_id, endpoint) endpoint = self._validate_endpoint_region(endpoint.copy(), request.context_dict) initiator = notifications._get_request_audit_info(request.context_dict) ref = self.catalog_api.update_endpoint(endpoint_id, endpoint, initiator) return EndpointV3.wrap_member(request.context_dict, ref)
def create_project(self, context, project): ref = self._assign_unique_id(self._normalize_dict(project)) ref = self._normalize_domain_id(context, ref) initiator = notifications._get_request_audit_info(context) try: ref = self.resource_api.create_project(ref['id'], ref, initiator=initiator) except exception.DomainNotFound as e: raise exception.ValidationError(e) return ProjectV3.wrap_member(context, ref)