Add domain scope support for group policies

This commit adds support for the domain scope type for the group API policies. It defines appropriate policies for the reader, member, and admin role and adds tests for each case. Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6 Closes-bug: #1808859 Partial-Bug: #968696
author: Colleen Murphy <colleen.murphy@suse.de> 2019-03-18 14:20:15 +0100
committer: Colleen Murphy <colleen.murphy@suse.de> 2019-03-27 17:15:00 +0100
commit: be452fee80fabe252b2dae3be76c1d46fdd857e4 (patch)
tree: 9b8d3b15b968fc229313e8d5e15c2306c5bdfa56 /keystone/api/users.py
parent: 947e0a2e394fe47047ca1568e3a6f8b19b3c1f78 (diff)
download: keystone-be452fee80fabe252b2dae3be76c1d46fdd857e4.tar.gz
1 files changed, 18 insertions, 3 deletions
diff --git a/keystone/api/users.py b/keystone/api/users.py
index cf2bf7a40..97626da9b 100644
--- a/keystone/api/users.py
+++ b/keystone/api/users.py
@@ -98,6 +98,10 @@ def _build_user_target_enforcement():
         target['user'] = PROVIDERS.identity_api.get_user(
             flask.request.view_args.get('user_id')
         )
+        if flask.request.view_args.get('group_id'):
+            target['group'] = PROVIDERS.identity_api.get_group(
+                flask.request.view_args.get('group_id')
+            )
     except ks_exception.NotFound:  # nosec
         # Defer existence in the event the user doesn't exist, we'll
         # check this later anyway.
@@ -285,10 +289,15 @@ class UserGroupsResource(ks_flask.ResourceBase):
 
     @staticmethod
     def _built_target_attr_enforcement():
-        ref = {}
+        ref = None
         if flask.request.view_args:
-            ref['user'] = PROVIDERS.identity_api.get_user(
-                flask.request.view_args.get('user_id'))
+            try:
+                ref = {'user': PROVIDERS.identity_api.get_user(
+                    flask.request.view_args.get('user_id'))}
+            except ks_exception.NotFound:  # nosec
+                # Defer existence in the event the user doesn't exist, we'll
+                # check this later anyway.
+                pass
         return ref
 
     def get(self, user_id):
@@ -303,6 +312,12 @@ class UserGroupsResource(ks_flask.ResourceBase):
                               filters=filters)
         refs = PROVIDERS.identity_api.list_groups_for_user(user_id=user_id,
                                                            hints=hints)
+        if (self.oslo_context.domain_id):
+            filtered_refs = []
+            for ref in refs:
+                if ref['domain_id'] == self.oslo_context.domain_id:
+                    filtered_refs.append(ref)
+            refs = filtered_refs
         return self.wrap_collection(refs, hints=hints)
author	Colleen Murphy <colleen.murphy@suse.de>	2019-03-18 14:20:15 +0100
committer	Colleen Murphy <colleen.murphy@suse.de>	2019-03-27 17:15:00 +0100
commit	be452fee80fabe252b2dae3be76c1d46fdd857e4 (patch)
tree	9b8d3b15b968fc229313e8d5e15c2306c5bdfa56 /keystone/api/users.py
parent	947e0a2e394fe47047ca1568e3a6f8b19b3c1f78 (diff)
download	keystone-be452fee80fabe252b2dae3be76c1d46fdd857e4.tar.gz