From 986c3eb08aa019a5793074fd7bade83972135271 Mon Sep 17 00:00:00 2001 From: Marek Denis Date: Wed, 5 Feb 2014 00:09:30 +0000 Subject: Support authentication via SAML 2.0 assertions This patch will support authentication via SAML 2.0 assertions. A new authentication plugin will allow external users to authenticate with keystone, provided the incoming assertion is valid. The file keystone/contrib/federation/controllers.py was extended with two new controllers.V3Controller classes: *) DomainV3 which handles /v3/OS-FEDERATION/domains API call and returns list of domains a user can access based on the provided list of groups. *) ProjectV3 which handles /v3/OS-FEDERATION/projects API call and returns list of project a user can access based on the provided list of groups. Change-Id: I89f70e3a24e825e21580772c088c6fd5c44f3b63 Implements: blueprint saml-id --- keystone/assignment/backends/sql.py | 46 +++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'keystone/assignment/backends/sql.py') diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 76b4f7b9c..595658bb5 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -279,6 +279,52 @@ class Assignment(assignment.Driver): return _project_ids_to_dicts(session, project_ids) + def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): + + if project_id is not None: + assignment_type = AssignmentType.GROUP_PROJECT + target_id = project_id + elif domain_id is not None: + assignment_type = AssignmentType.GROUP_DOMAIN + target_id = domain_id + else: + raise AttributeError(_("Must specify either domain or project")) + + sql_constraints = sql.and_( + RoleAssignment.type == assignment_type, + RoleAssignment.target_id == target_id, + Role.id == RoleAssignment.role_id, + RoleAssignment.actor_id.in_(group_ids)) + + session = db_session.get_session() + with session.begin(): + query = session.query(Role).filter( + sql_constraints).distinct() + return [role.to_dict() for role in query.all()] + + def _list_entities_for_groups(self, group_ids, entity): + if entity == Domain: + assignment_type = AssignmentType.GROUP_DOMAIN + else: + assignment_type = AssignmentType.GROUP_PROJECT + + group_sql_conditions = sql.and_( + RoleAssignment.type == assignment_type, + entity.id == RoleAssignment.target_id, + RoleAssignment.actor_id.in_(group_ids)) + + session = db_session.get_session() + with session.begin(): + query = session.query(entity).filter( + group_sql_conditions) + return [x.to_dict() for x in query.all()] + + def list_projects_for_groups(self, group_ids): + return self._list_entities_for_groups(group_ids, Project) + + def list_domains_for_groups(self, group_ids): + return self._list_entities_for_groups(group_ids, Domain) + def add_role_to_user_and_project(self, user_id, tenant_id, role_id): with sql.transaction() as session: self._get_project(session, tenant_id) -- cgit v1.2.1