"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/auth/core.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

core.py  (keystone-16.0.1):core.py  (keystone-17.0.0)
skipping to change at line 14 skipping to change at line 14
# #
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# Unless required by applicable law or agreed to in writing, software # Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from functools import partial from functools import partial
import sys
from oslo_log import log from oslo_log import log
import six
import stevedore import stevedore
from keystone.common import driver_hints from keystone.common import driver_hints
from keystone.common import provider_api from keystone.common import provider_api
from keystone.common import utils from keystone.common import utils
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
from keystone.i18n import _ from keystone.i18n import _
from keystone.identity.backends import resource_options as ro from keystone.identity.backends import resource_options as ro
skipping to change at line 142 skipping to change at line 140
# unscoped: (None, None, None, 'unscoped', None) # unscoped: (None, None, None, 'unscoped', None)
# system: (None, None, None, None, 'all') # system: (None, None, None, None, 'all')
def _assert_project_is_enabled(self, project_ref): def _assert_project_is_enabled(self, project_ref):
# ensure the project is enabled # ensure the project is enabled
try: try:
PROVIDERS.resource_api.assert_project_enabled( PROVIDERS.resource_api.assert_project_enabled(
project_id=project_ref['id'], project_id=project_ref['id'],
project=project_ref) project=project_ref)
except AssertionError as e: except AssertionError as e:
LOG.warning(six.text_type(e)) LOG.warning(e)
six.reraise(exception.Unauthorized, exception.Unauthorized(e), raise exception.Unauthorized from e
sys.exc_info()[2])
def _assert_domain_is_enabled(self, domain_ref): def _assert_domain_is_enabled(self, domain_ref):
try: try:
PROVIDERS.resource_api.assert_domain_enabled( PROVIDERS.resource_api.assert_domain_enabled(
domain_id=domain_ref['id'], domain_id=domain_ref['id'],
domain=domain_ref) domain=domain_ref)
except AssertionError as e: except AssertionError as e:
LOG.warning(six.text_type(e)) LOG.warning(e)
six.reraise(exception.Unauthorized, exception.Unauthorized(e), raise exception.Unauthorized from e
sys.exc_info()[2])
def _lookup_domain(self, domain_info): def _lookup_domain(self, domain_info):
domain_id = domain_info.get('id') domain_id = domain_info.get('id')
domain_name = domain_info.get('name') domain_name = domain_info.get('name')
try: try:
if domain_name: if domain_name:
if (CONF.resource.domain_name_url_safe == 'strict' and if (CONF.resource.domain_name_url_safe == 'strict' and
utils.is_not_url_safe(domain_name)): utils.is_not_url_safe(domain_name)):
msg = 'Domain name cannot contain reserved characters.' msg = 'Domain name cannot contain reserved characters.'
tr_msg = _('Domain name cannot contain reserved ' tr_msg = _('Domain name cannot contain reserved '
'characters.') 'characters.')
LOG.warning(msg) LOG.warning(msg)
raise exception.Unauthorized(message=tr_msg) raise exception.Unauthorized(message=tr_msg)
domain_ref = PROVIDERS.resource_api.get_domain_by_name( domain_ref = PROVIDERS.resource_api.get_domain_by_name(
domain_name) domain_name)
else: else:
domain_ref = PROVIDERS.resource_api.get_domain(domain_id) domain_ref = PROVIDERS.resource_api.get_domain(domain_id)
except exception.DomainNotFound as e: except exception.DomainNotFound as e:
LOG.warning(six.text_type(e)) LOG.warning(e)
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
self._assert_domain_is_enabled(domain_ref) self._assert_domain_is_enabled(domain_ref)
return domain_ref return domain_ref
def _lookup_project(self, project_info): def _lookup_project(self, project_info):
project_id = project_info.get('id') project_id = project_info.get('id')
project_name = project_info.get('name') project_name = project_info.get('name')
try: try:
if project_name: if project_name:
if (CONF.resource.project_name_url_safe == 'strict' and if (CONF.resource.project_name_url_safe == 'strict' and
skipping to change at line 206 skipping to change at line 202
else: else:
project_ref = PROVIDERS.resource_api.get_project(project_id) project_ref = PROVIDERS.resource_api.get_project(project_id)
domain_id = project_ref['domain_id'] domain_id = project_ref['domain_id']
if not domain_id: if not domain_id:
raise exception.ProjectNotFound(project_id=project_id) raise exception.ProjectNotFound(project_id=project_id)
# NOTE(morganfainberg): The _lookup_domain method will raise # NOTE(morganfainberg): The _lookup_domain method will raise
# exception.Unauthorized if the domain isn't found or is # exception.Unauthorized if the domain isn't found or is
# disabled. # disabled.
self._lookup_domain({'id': domain_id}) self._lookup_domain({'id': domain_id})
except exception.ProjectNotFound as e: except exception.ProjectNotFound as e:
LOG.warning(six.text_type(e)) LOG.warning(e)
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
self._assert_project_is_enabled(project_ref) self._assert_project_is_enabled(project_ref)
return project_ref return project_ref
def _lookup_trust(self, trust_info): def _lookup_trust(self, trust_info):
trust_id = trust_info.get('id') trust_id = trust_info.get('id')
if not trust_id: if not trust_id:
raise exception.ValidationError(attribute='trust_id', raise exception.ValidationError(attribute='trust_id',
target='trust') target='trust')
trust = PROVIDERS.trust_api.get_trust(trust_id) trust = PROVIDERS.trust_api.get_trust(trust_id)
skipping to change at line 250 skipping to change at line 246
user_id = PROVIDERS.identity_api.get_user_by_name( user_id = PROVIDERS.identity_api.get_user_by_name(
user['name'], domain_ref['id'])['id'] user['name'], domain_ref['id'])['id']
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('name', name) hints.add_filter('name', name)
app_cred_api = PROVIDERS.application_credential_api app_cred_api = PROVIDERS.application_credential_api
app_creds = app_cred_api.list_application_credentials( app_creds = app_cred_api.list_application_credentials(
user_id, hints) user_id, hints)
if len(app_creds) != 1: if len(app_creds) != 1:
message = "Could not find application credential: %s" % name message = "Could not find application credential: %s" % name
tr_message = _("Could not find application credential: %s") % name tr_message = _("Could not find application credential: %s") % name
LOG.warning(six.text_type(message)) LOG.warning(message)
raise exception.Unauthorized(tr_message) raise exception.Unauthorized(tr_message)
return app_creds[0] return app_creds[0]
def _set_scope_from_app_cred(self, app_cred_info): def _set_scope_from_app_cred(self, app_cred_info):
app_cred_ref = self._lookup_app_cred(app_cred_info) app_cred_ref = self._lookup_app_cred(app_cred_info)
self._scope_data = (None, app_cred_ref['project_id'], None, None, None) self._scope_data = (None, app_cred_ref['project_id'], None, None, None)
return return
def _validate_and_normalize_scope_data(self): def _validate_and_normalize_scope_data(self):
"""Validate and normalize scope data.""" """Validate and normalize scope data."""
skipping to change at line 510 skipping to change at line 506
# being considered. # being considered.
LOG.info('Ignoring Rule %(type)r; rule must be a list of ' LOG.info('Ignoring Rule %(type)r; rule must be a list of '
'strings.', 'strings.',
{'type': type(r_list)}) {'type': type(r_list)})
continue continue
if r_list: if r_list:
# No empty rules are allowed. # No empty rules are allowed.
_ok_rule = True _ok_rule = True
for item in r_list: for item in r_list:
if not isinstance(item, six.string_types): if not isinstance(item, str):
# Rules may only contain strings for method names # Rules may only contain strings for method names
# Reject a rule with non-string values # Reject a rule with non-string values
LOG.info('Ignoring Rule %(rule)r; rule contains ' LOG.info('Ignoring Rule %(rule)r; rule contains '
'non-string values.', 'non-string values.',
{'rule': r_list}) {'rule': r_list})
# Rule is known to be bad, drop it from consideration. # Rule is known to be bad, drop it from consideration.
_ok_rule = False _ok_rule = False
break break
# NOTE(notmorgan): No FOR/ELSE used here! Though it could be # NOTE(notmorgan): No FOR/ELSE used here! Though it could be
# done and avoid the use of _ok_rule. This is a note for # done and avoid the use of _ok_rule. This is a note for
 End of changes. 8 change blocks. 
12 lines changed or deleted 8 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)