Merge "Add JSON schema and validation for implied role"
				
					
				
			This commit is contained in:
		| @@ -15,6 +15,8 @@ | ||||
| import flask_restful | ||||
|  | ||||
| from keystone.api._shared import implied_roles as shared | ||||
| from keystone.api import validation | ||||
| from keystone.assignment import schema | ||||
| from keystone.common import provider_api | ||||
| from keystone.common import rbac_enforcer | ||||
| from keystone.server import flask as ks_flask | ||||
| @@ -24,6 +26,10 @@ PROVIDERS = provider_api.ProviderAPIs | ||||
|  | ||||
|  | ||||
| class RoleInferencesResource(flask_restful.Resource): | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema( | ||||
|         schema.role_inferences_index_response_body | ||||
|     ) | ||||
|     def get(self): | ||||
|         """List role inference rules. | ||||
|  | ||||
|   | ||||
| @@ -218,6 +218,8 @@ def _build_enforcement_target_ref(): | ||||
|  | ||||
|  | ||||
| class RoleImplicationListResource(flask_restful.Resource): | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema(schema.role_inference_show_response_body) | ||||
|     def get(self, prior_role_id): | ||||
|         """List Implied Roles. | ||||
|  | ||||
| @@ -243,6 +245,8 @@ class RoleImplicationListResource(flask_restful.Resource): | ||||
|  | ||||
|  | ||||
| class RoleImplicationResource(flask_restful.Resource): | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema(None) | ||||
|     def head(self, prior_role_id, implied_role_id=None): | ||||
|         # TODO(morgan): deprecate "check_implied_role" policy, as a user must | ||||
|         # have both check_implied_role and get_implied_role to use the head | ||||
| @@ -261,6 +265,8 @@ class RoleImplicationResource(flask_restful.Resource): | ||||
|         # here is incorrect. It is maintained as is for API contract reasons. | ||||
|         return None, http.client.NO_CONTENT | ||||
|  | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema(schema.implied_role_show_response_body) | ||||
|     def get(self, prior_role_id, implied_role_id): | ||||
|         """Get implied role. | ||||
|  | ||||
| @@ -287,6 +293,8 @@ class RoleImplicationResource(flask_restful.Resource): | ||||
|         } | ||||
|         return response_json | ||||
|  | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema(schema.implied_role_show_response_body) | ||||
|     def put(self, prior_role_id, implied_role_id): | ||||
|         """Create implied role. | ||||
|  | ||||
| @@ -300,6 +308,8 @@ class RoleImplicationResource(flask_restful.Resource): | ||||
|         response_json = self._get_implied_role(prior_role_id, implied_role_id) | ||||
|         return response_json, http.client.CREATED | ||||
|  | ||||
|     @validation.request_body_schema(None) | ||||
|     @validation.response_body_schema(None) | ||||
|     def delete(self, prior_role_id, implied_role_id): | ||||
|         """Delete implied role. | ||||
|  | ||||
|   | ||||
| @@ -120,3 +120,106 @@ role_update_request_body = { | ||||
|     "required": ["role"], | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|  | ||||
| # Individual properties of a returned prior/implied role | ||||
| _implied_role_properties: dict[str, Any] = { | ||||
|     "id": { | ||||
|         "type": "string", | ||||
|         "format": "uuid", | ||||
|         "description": "The role ID.", | ||||
|         "readOnly": True, | ||||
|     }, | ||||
|     "links": response_types.resource_links, | ||||
|     "name": parameter_types.name, | ||||
| } | ||||
|  | ||||
| # Common schema of prior role | ||||
| prior_role_schema: dict[str, Any] = { | ||||
|     "type": "object", | ||||
|     "description": "A prior role object.", | ||||
|     "properties": _implied_role_properties, | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|  | ||||
| # Common schema of implied role | ||||
| implied_role_schema: dict[str, Any] = { | ||||
|     "type": "object", | ||||
|     "description": "An implied role object.", | ||||
|     "properties": _implied_role_properties, | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|  | ||||
| # Response body of API operations returning a single implied role | ||||
| # `GET /v3/roles/{prior_role_id}/implies/{implies_role_id}` | ||||
| # and `PUT /v3/roles/{prior_role_id}/implies/{implies_role_id}` | ||||
| implied_role_show_response_body: dict[str, Any] = { | ||||
|     "type": "object", | ||||
|     "properties": { | ||||
|         "role_inference": { | ||||
|             "type": "object", | ||||
|             "description": ( | ||||
|                 "Role inference object that contains " | ||||
|                 "prior_role object and implies object." | ||||
|             ), | ||||
|             "properties": { | ||||
|                 "prior_role": prior_role_schema, | ||||
|                 "implies": implied_role_schema, | ||||
|             }, | ||||
|             "additionalProperties": False, | ||||
|         }, | ||||
|         "links": response_types.links, | ||||
|     }, | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|  | ||||
| # Response body of the `GET /v3/roles/{prior_role_id}/implies` API operation | ||||
| # returning a single role inference | ||||
| role_inference_show_response_body: dict[str, Any] = { | ||||
|     "type": "object", | ||||
|     "properties": { | ||||
|         "role_inference": { | ||||
|             "type": "object", | ||||
|             "description": "A role inference object.", | ||||
|             "properties": { | ||||
|                 "prior_role": prior_role_schema, | ||||
|                 "implies": { | ||||
|                     "type": "array", | ||||
|                     "items": implied_role_schema, | ||||
|                     "description": "A list of implied role objects.", | ||||
|                 }, | ||||
|             }, | ||||
|             "additionalProperties": False, | ||||
|         }, | ||||
|         "links": response_types.links, | ||||
|     }, | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|  | ||||
| # Response body of the `GET /v3/role_inferences` API operation | ||||
| # returning a list of role inferences | ||||
| role_inferences_index_response_body: dict[str, Any] = { | ||||
|     "type": "object", | ||||
|     "properties": { | ||||
|         "role_inferences": { | ||||
|             "type": "array", | ||||
|             "description": "A list of role inference objects.", | ||||
|             "items": { | ||||
|                 "type": "object", | ||||
|                 "properties": { | ||||
|                     # NOTE(0weng): The example in the docs incorrectly | ||||
|                     # includes the `description` field in the output. | ||||
|                     "prior_role": prior_role_schema, | ||||
|                     "implies": { | ||||
|                         "type": "array", | ||||
|                         "items": implied_role_schema, | ||||
|                         "description": "A list of implied role objects.", | ||||
|                     }, | ||||
|                 }, | ||||
|                 "additionalProperties": False, | ||||
|             }, | ||||
|             "additionalProperties": False, | ||||
|         }, | ||||
|         "links": response_types.links, | ||||
|     }, | ||||
|     "additionalProperties": False, | ||||
| } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Zuul
					Zuul