"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/users.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

users.py  (keystone-16.0.1):users.py  (keystone-17.0.0)
skipping to change at line 20 skipping to change at line 20
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# This file handles all flask-restful resources for /v3/users # This file handles all flask-restful resources for /v3/users
import base64 import base64
import os import os
import uuid import uuid
import flask import flask
import http.client
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client
from werkzeug import exceptions from werkzeug import exceptions
from keystone.api._shared import json_home_relations from keystone.api._shared import json_home_relations
from keystone.application_credential import schema as app_cred_schema from keystone.application_credential import schema as app_cred_schema
from keystone.common import json_home from keystone.common import json_home
from keystone.common import provider_api from keystone.common import provider_api
from keystone.common import rbac_enforcer from keystone.common import rbac_enforcer
from keystone.common import utils from keystone.common import utils
from keystone.common import validation from keystone.common import validation
import keystone.conf import keystone.conf
skipping to change at line 204 skipping to change at line 204
target = {'user': user_data} target = {'user': user_data}
ENFORCER.enforce_call( ENFORCER.enforce_call(
action='identity:create_user', target_attr=target action='identity:create_user', target_attr=target
) )
validation.lazy_validate(schema.user_create, user_data) validation.lazy_validate(schema.user_create, user_data)
user_data = self._normalize_dict(user_data) user_data = self._normalize_dict(user_data)
user_data = self._normalize_domain_id(user_data) user_data = self._normalize_domain_id(user_data)
ref = PROVIDERS.identity_api.create_user( ref = PROVIDERS.identity_api.create_user(
user_data, user_data,
initiator=self.audit_initiator) initiator=self.audit_initiator)
return self.wrap_member(ref), http_client.CREATED return self.wrap_member(ref), http.client.CREATED
def patch(self, user_id): def patch(self, user_id):
"""Update a user. """Update a user.
PATCH /v3/users/{user_id} PATCH /v3/users/{user_id}
""" """
ENFORCER.enforce_call( ENFORCER.enforce_call(
action='identity:update_user', action='identity:update_user',
build_target=_build_user_target_enforcement build_target=_build_user_target_enforcement
) )
skipping to change at line 233 skipping to change at line 233
def delete(self, user_id): def delete(self, user_id):
"""Delete a user. """Delete a user.
DELETE /v3/users/{user_id} DELETE /v3/users/{user_id}
""" """
ENFORCER.enforce_call( ENFORCER.enforce_call(
action='identity:delete_user', action='identity:delete_user',
build_target=_build_user_target_enforcement build_target=_build_user_target_enforcement
) )
PROVIDERS.identity_api.delete_user(user_id) PROVIDERS.identity_api.delete_user(user_id)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class UserChangePasswordResource(ks_flask.ResourceBase): class UserChangePasswordResource(ks_flask.ResourceBase):
@ks_flask.unenforced_api @ks_flask.unenforced_api
def get(self, user_id): def get(self, user_id):
# Special case, GET is not allowed. # Special case, GET is not allowed.
raise exceptions.MethodNotAllowed(valid_methods=['POST']) raise exceptions.MethodNotAllowed(valid_methods=['POST'])
@ks_flask.unenforced_api @ks_flask.unenforced_api
def post(self, user_id): def post(self, user_id):
user_data = self.request_body_json.get('user', {}) user_data = self.request_body_json.get('user', {})
skipping to change at line 256 skipping to change at line 256
try: try:
PROVIDERS.identity_api.change_password( PROVIDERS.identity_api.change_password(
user_id=user_id, user_id=user_id,
original_password=user_data['original_password'], original_password=user_data['original_password'],
new_password=user_data['password'], new_password=user_data['password'],
initiator=self.audit_initiator) initiator=self.audit_initiator)
except AssertionError as e: except AssertionError as e:
raise ks_exception.Unauthorized( raise ks_exception.Unauthorized(
_('Error when changing user password: %s') % e _('Error when changing user password: %s') % e
) )
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class UserProjectsResource(ks_flask.ResourceBase): class UserProjectsResource(ks_flask.ResourceBase):
collection_key = 'projects' collection_key = 'projects'
member_key = 'project' member_key = 'project'
get_member_from_driver = PROVIDERS.deferred_provider_lookup( get_member_from_driver = PROVIDERS.deferred_provider_lookup(
api='resource_api', method='get_project') api='resource_api', method='get_project')
def get(self, user_id): def get(self, user_id):
filters = ('domain_id', 'enabled', 'name') filters = ('domain_id', 'enabled', 'name')
ENFORCER.enforce_call(action='identity:list_user_projects', ENFORCER.enforce_call(action='identity:list_user_projects',
skipping to change at line 360 skipping to change at line 360
credential_id = utils.hash_access_key(blob['access']) credential_id = utils.hash_access_key(blob['access'])
cred_data = dict( cred_data = dict(
user_id=user_id, user_id=user_id,
project_id=tenant_id, project_id=tenant_id,
blob=jsonutils.dumps(blob), blob=jsonutils.dumps(blob),
id=credential_id, id=credential_id,
type=CRED_TYPE_EC2 type=CRED_TYPE_EC2
) )
PROVIDERS.credential_api.create_credential(credential_id, cred_data) PROVIDERS.credential_api.create_credential(credential_id, cred_data)
ref = _convert_v3_to_ec2_credential(cred_data) ref = _convert_v3_to_ec2_credential(cred_data)
return self.wrap_member(ref), http_client.CREATED return self.wrap_member(ref), http.client.CREATED
class UserOSEC2CredentialsResourceGetDelete(_UserOSEC2CredBaseResource): class UserOSEC2CredentialsResourceGetDelete(_UserOSEC2CredBaseResource):
@staticmethod @staticmethod
def _get_cred_data(credential_id): def _get_cred_data(credential_id):
cred = PROVIDERS.credential_api.get_credential(credential_id) cred = PROVIDERS.credential_api.get_credential(credential_id)
if not cred or cred['type'] != CRED_TYPE_EC2: if not cred or cred['type'] != CRED_TYPE_EC2:
raise ks_exception.Unauthorized( raise ks_exception.Unauthorized(
message=_('EC2 access key not found.')) message=_('EC2 access key not found.'))
return _convert_v3_to_ec2_credential(cred) return _convert_v3_to_ec2_credential(cred)
skipping to change at line 397 skipping to change at line 397
DELETE /users/{user_id}/credentials/OS-EC2/{credential_id} DELETE /users/{user_id}/credentials/OS-EC2/{credential_id}
""" """
func = _build_enforcer_target_data_owner_and_user_id_match func = _build_enforcer_target_data_owner_and_user_id_match
ENFORCER.enforce_call(action='identity:ec2_delete_credential', ENFORCER.enforce_call(action='identity:ec2_delete_credential',
build_target=func) build_target=func)
PROVIDERS.identity_api.get_user(user_id) PROVIDERS.identity_api.get_user(user_id)
ec2_cred_id = utils.hash_access_key(credential_id) ec2_cred_id = utils.hash_access_key(credential_id)
self._get_cred_data(ec2_cred_id) self._get_cred_data(ec2_cred_id)
PROVIDERS.credential_api.delete_credential(ec2_cred_id) PROVIDERS.credential_api.delete_credential(ec2_cred_id)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class _OAuth1ResourceBase(ks_flask.ResourceBase): class _OAuth1ResourceBase(ks_flask.ResourceBase):
collection_key = 'access_tokens' collection_key = 'access_tokens'
member_key = 'access_token' member_key = 'access_token'
@classmethod @classmethod
def _add_self_referential_link(cls, ref, collection_name=None): def _add_self_referential_link(cls, ref, collection_name=None):
# NOTE(morgan): This should be refactored to have an OAuth1 API with # NOTE(morgan): This should be refactored to have an OAuth1 API with
# a sane prefix instead of overloading the "_add_self_referential_link" # a sane prefix instead of overloading the "_add_self_referential_link"
# method. This was chosen as it more closely mirrors the pre-flask # method. This was chosen as it more closely mirrors the pre-flask
skipping to change at line 462 skipping to change at line 462
reason = ( reason = (
'Invalidating the token cache because an access token for ' 'Invalidating the token cache because an access token for '
'consumer %(consumer_id)s has been deleted. Authorization for ' 'consumer %(consumer_id)s has been deleted. Authorization for '
'users with OAuth tokens will be recalculated and enforced ' 'users with OAuth tokens will be recalculated and enforced '
'accordingly the next time they authenticate or validate a ' 'accordingly the next time they authenticate or validate a '
'token.' % {'consumer_id': access_token['consumer_id']} 'token.' % {'consumer_id': access_token['consumer_id']}
) )
notifications.invalidate_token_cache_notification(reason) notifications.invalidate_token_cache_notification(reason)
PROVIDERS.oauth_api.delete_access_token( PROVIDERS.oauth_api.delete_access_token(
user_id, access_token_id, initiator=self.audit_initiator) user_id, access_token_id, initiator=self.audit_initiator)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class OAuth1AccessTokenRoleListResource(ks_flask.ResourceBase): class OAuth1AccessTokenRoleListResource(ks_flask.ResourceBase):
collection_key = 'roles' collection_key = 'roles'
member_key = 'role' member_key = 'role'
def get(self, user_id, access_token_id): def get(self, user_id, access_token_id):
"""List roles for a user access token. """List roles for a user access token.
GET/HEAD /v3/users/{user_id}/OS-OAUTH1/access_tokens/ GET/HEAD /v3/users/{user_id}/OS-OAUTH1/access_tokens/
{access_token_id}/roles {access_token_id}/roles
skipping to change at line 622 skipping to change at line 622
try: try:
ref = app_cred_api.create_application_credential( ref = app_cred_api.create_application_credential(
app_cred_data, initiator=self.audit_initiator) app_cred_data, initiator=self.audit_initiator)
except ks_exception.RoleAssignmentNotFound as e: except ks_exception.RoleAssignmentNotFound as e:
# Raise a Bad Request, not a Not Found, in accordance with the # Raise a Bad Request, not a Not Found, in accordance with the
# API-SIG recommendations: # API-SIG recommendations:
# https://specs.openstack.org/openstack/api-wg/guidelines/http.html# failure-code-clarifications # https://specs.openstack.org/openstack/api-wg/guidelines/http.html# failure-code-clarifications
raise ks_exception.ApplicationCredentialValidationError( raise ks_exception.ApplicationCredentialValidationError(
detail=str(e)) detail=str(e))
return self.wrap_member(ref), http_client.CREATED return self.wrap_member(ref), http.client.CREATED
class UserAppCredGetDeleteResource(ks_flask.ResourceBase): class UserAppCredGetDeleteResource(ks_flask.ResourceBase):
collection_key = 'application_credentials' collection_key = 'application_credentials'
member_key = 'application_credential' member_key = 'application_credential'
def get(self, user_id, application_credential_id): def get(self, user_id, application_credential_id):
"""Get application credential resource. """Get application credential resource.
GET/HEAD /v3/users/{user_id}/application_credentials/ GET/HEAD /v3/users/{user_id}/application_credentials/
{application_credential_id} {application_credential_id}
skipping to change at line 650 skipping to change at line 650
"""Delete application credential resource. """Delete application credential resource.
DELETE /v3/users/{user_id}/application_credentials/ DELETE /v3/users/{user_id}/application_credentials/
{application_credential_id} {application_credential_id}
""" """
ENFORCER.enforce_call(action='identity:delete_application_credential') ENFORCER.enforce_call(action='identity:delete_application_credential')
token = self.auth_context['token'] token = self.auth_context['token']
_check_unrestricted_application_credential(token) _check_unrestricted_application_credential(token)
PROVIDERS.application_credential_api.delete_application_credential( PROVIDERS.application_credential_api.delete_application_credential(
application_credential_id, initiator=self.audit_initiator) application_credential_id, initiator=self.audit_initiator)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class UserAccessRuleListResource(ks_flask.ResourceBase): class UserAccessRuleListResource(ks_flask.ResourceBase):
collection_key = 'access_rules' collection_key = 'access_rules'
member_key = 'access_rule' member_key = 'access_rule'
def get(self, user_id): def get(self, user_id):
"""List access rules for user. """List access rules for user.
GET/HEAD /v3/users/{user_id}/access_rules GET/HEAD /v3/users/{user_id}/access_rules
""" """
skipping to change at line 699 skipping to change at line 699
"""Delete access rule resource. """Delete access rule resource.
DELETE /v3/users/{user_id}/access_rules/{access_rule_id} DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
""" """
ENFORCER.enforce_call( ENFORCER.enforce_call(
action='identity:delete_access_rule', action='identity:delete_access_rule',
build_target=_build_user_target_enforcement build_target=_build_user_target_enforcement
) )
PROVIDERS.application_credential_api.delete_access_rule( PROVIDERS.application_credential_api.delete_access_rule(
access_rule_id, initiator=self.audit_initiator) access_rule_id, initiator=self.audit_initiator)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class UserAPI(ks_flask.APIBase): class UserAPI(ks_flask.APIBase):
_name = 'users' _name = 'users'
_import_name = __name__ _import_name = __name__
resources = [UserResource] resources = [UserResource]
resource_mapping = [ resource_mapping = [
ks_flask.construct_resource_map( ks_flask.construct_resource_map(
resource=UserChangePasswordResource, resource=UserChangePasswordResource,
url='/users/<string:user_id>/password', url='/users/<string:user_id>/password',
resource_kwargs={}, resource_kwargs={},
 End of changes. 11 change blocks. 
10 lines changed or deleted 10 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)