"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/users.py" between
keystone-15.0.0.tar.gz and keystone-15.0.1.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Stein" series (maintained release).

users.py  (keystone-15.0.0):users.py  (keystone-15.0.1)
skipping to change at line 551 skipping to change at line 551
def _normalize_role_list(app_cred_roles): def _normalize_role_list(app_cred_roles):
roles = [] roles = []
for role in app_cred_roles: for role in app_cred_roles:
if role.get('id'): if role.get('id'):
roles.append(role) roles.append(role)
else: else:
roles.append(PROVIDERS.role_api.get_unique_role_by_name( roles.append(PROVIDERS.role_api.get_unique_role_by_name(
role['name'])) role['name']))
return roles return roles
def _get_roles(self, app_cred_data, token):
if app_cred_data.get('roles'):
roles = self._normalize_role_list(app_cred_data['roles'])
# NOTE(cmurphy): The user is not allowed to add a role that is not
# in their token. This is to prevent trustees or application
# credential users from escallating their privileges to include
# additional roles that the trustor or application credential
# creator has assigned on the project.
token_roles = [r['id'] for r in token.roles]
for role in roles:
if role['id'] not in token_roles:
detail = _('Cannot create an application credential with '
'unassigned role')
raise ks_exception.ApplicationCredentialValidationError(
detail=detail)
else:
roles = token.roles
return roles
def get(self, user_id): def get(self, user_id):
"""List application credentials for user. """List application credentials for user.
GET/HEAD /v3/users/{user_id}/application_credentials GET/HEAD /v3/users/{user_id}/application_credentials
""" """
filters = ('name',) filters = ('name',)
ENFORCER.enforce_call(action='identity:list_application_credentials', ENFORCER.enforce_call(action='identity:list_application_credentials',
filters=filters) filters=filters)
app_cred_api = PROVIDERS.application_credential_api app_cred_api = PROVIDERS.application_credential_api
hints = self.build_driver_hints(filters) hints = self.build_driver_hints(filters)
skipping to change at line 586 skipping to change at line 605
if self.oslo_context.user_id != user_id: if self.oslo_context.user_id != user_id:
action = _('Cannot create an application credential for another ' action = _('Cannot create an application credential for another '
'user.') 'user.')
raise ks_exception.ForbiddenAction(action=action) raise ks_exception.ForbiddenAction(action=action)
project_id = self.oslo_context.project_id project_id = self.oslo_context.project_id
app_cred_data = self._assign_unique_id(app_cred_data) app_cred_data = self._assign_unique_id(app_cred_data)
if not app_cred_data.get('secret'): if not app_cred_data.get('secret'):
app_cred_data['secret'] = self._generate_secret() app_cred_data['secret'] = self._generate_secret()
app_cred_data['user_id'] = user_id app_cred_data['user_id'] = user_id
app_cred_data['project_id'] = project_id app_cred_data['project_id'] = project_id
app_cred_data['roles'] = self._normalize_role_list( app_cred_data['roles'] = self._get_roles(app_cred_data, token)
app_cred_data.get('roles', token.roles))
if app_cred_data.get('expires_at'): if app_cred_data.get('expires_at'):
app_cred_data['expires_at'] = utils.parse_expiration_date( app_cred_data['expires_at'] = utils.parse_expiration_date(
app_cred_data['expires_at']) app_cred_data['expires_at'])
app_cred_data = self._normalize_dict(app_cred_data) app_cred_data = self._normalize_dict(app_cred_data)
app_cred_api = PROVIDERS.application_credential_api app_cred_api = PROVIDERS.application_credential_api
try: try:
ref = app_cred_api.create_application_credential( ref = app_cred_api.create_application_credential(
app_cred_data, initiator=self.audit_initiator) app_cred_data, initiator=self.audit_initiator)
except ks_exception.RoleAssignmentNotFound as e: except ks_exception.RoleAssignmentNotFound as e:
 End of changes. 2 change blocks. 
2 lines changed or deleted 20 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)